{ "type": "Domain", "indicator": "interocakate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/interocakate.com", "alexa": "http://www.alexa.com/siteinfo/interocakate.com", "indicator": "interocakate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3882303580, "indicator": "interocakate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "673d0a283fc9a37bebd76dc6", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.", "modified": "2024-12-19T21:05:39.998000", "created": "2024-11-19T21:59:04.039000", "tags": [ "ddos", "proxy service", "nsocks", "soho routers", "botnet", "shopsocks5", "cybercrime", "iot devices", "vn5socks", "ngioweb" ], "references": [ "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ngioweb", "display_name": "ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386763, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673b4d74f0567c0115bd2c97", "name": "Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices", "description": "Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. Once compromised, the Ngioweb malware is deployed, running in memory and connecting to command-and-control servers. The entire process, from initial infection to listing the device on a residential proxy marketplace, can take as little as 10 minutes. Water Barghest targets various IoT devices from brands like Cisco, DrayTek, and Zyxel, using both n-day vulnerabilities and at least one zero-day exploit. Their sophisticated operation has allowed them to maintain a low profile while generating steady income through their cybercriminal activities.", "modified": "2024-11-18T16:31:49.164000", "created": "2024-11-18T14:21:40.330000", "tags": [ "iot", "vulnerability exploitation", "residential proxy marketplace", "botnet", "proxy", "ngioweb" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/water-barghest.html" ], "public": 1, "adversary": "Water Barghest", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 45, "domain": 22, "FileHash-MD5": 15, "FileHash-SHA1": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 386764, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c5add7ed904b891e4b73b6", "name": "Ngioweb Proxy", "description": "This pulse contains IOCs related to Ngioweb Infrastructure. Additions are automatically added based on OTX sandboxed samples.", "modified": "2024-11-04T09:05:45.588000", "created": "2024-08-21T09:05:27.850000", "tags": [ "Ngioweb", "NSOCKS" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb (ELF)", "display_name": "Ngioweb (ELF)", "target": null }, { "id": "Ngioweb (Windows)", "display_name": "Ngioweb (Windows)", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "66c5aceea74b8dd28a7d16ff", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 103, "hostname": 36, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "574 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b39de921cdfe8b6ebcc220", "name": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "description": "TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.", "modified": "2024-09-06T16:05:06.391000", "created": "2024-08-07T16:16:41.356000", "tags": [ "botnet", "routers", "espionage", "cybercrime", "ngioweb", "sshdoor", "proxy" ], "references": [], "public": 1, "adversary": "APT28", "targeted_countries": [], "malware_families": [ { "id": "SSHDoor", "display_name": "SSHDoor", "target": null }, { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 229, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 11, "hostname": 17 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 386767, "modified_text": "633 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67476e57c59e3d680bdd9e70", "name": "Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse", "description": "", "modified": "2024-12-28T00:01:55.115000", "created": "2024-11-27T19:09:10.839000", "tags": [ "classification", "cyber threat", "november", "time", "crypto cyber", "defence", "confidential", "domains", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 43, "domain": 26, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673dded7f40dd192014bfb8f", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal.\n# Loader C2 Tier 2, which aims to identify and track users' IP addresses, has been launched by the Ministry of Defence (MoD) and the Russian Foreign Minister Sergei Lavrov.", "modified": "2024-12-20T13:04:00.850000", "created": "2024-11-20T13:06:31.364000", "tags": [ "active dga", "loader c2", "tier", "loader c2s", "bot c2s", "dns server", "c2s ips", "backconnect c2s" ], "references": [ "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673c91be07f436d9a5ff92af", "name": "Inside Water Barghest\u2019s Rapid Exploit-to-Market Strategy for IoT Devices", "description": "Inside Water Barghest\u2019s Rapid Exploit-to-Market Strategy for IoT Devices: A guide to the best ways to spot when a device is being targeted by cyber-thieves.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:25:18.784000", "tags": [ "secondstage c", "scanner", "malware", "water barghest", "strategy", "domain name", "description", "historical", "files sha256", "c url" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/water-barghest/IOClist-Water_Barghest.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 43, "domain": 26, "hostname": 3 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66323404dfcfb588281ff377", "name": "Cybercriminals and Nation-States Sharing Compromised Networks", "description": "", "modified": "2024-05-31T12:03:52.896000", "created": "2024-05-01T12:22:28.969000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 15, "hostname": 22 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66320d47fbc73ba632844202", "name": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "description": "A guide to the most commonly used passwords for computers, smartphones, tablets and smart phones, as compiled by the Institute for Strategic Studies (ISTS) and published in the journal Open Source.", "modified": "2024-05-31T09:02:56.598000", "created": "2024-05-01T09:37:11.048000", "tags": [ "ngioweb c", "sshdoor", "pawn storm", "old c", "historic c", "new c", "sshdoor mipsii", "edgerouter", "fixed port", "description", "storm", "ngioweb" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/d/cybercriminals-and-nation-states-sharing-compromised-networks/ioc-router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.txt", "https://www.trendmicro.com/en_us/research/24/e/router-roulette.html" ], "public": 1, "adversary": "Pawn Storm", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 15, "hostname": 22 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663c3edfdfb7353b19346f71", "name": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "description": "", "modified": "2024-05-31T09:02:56.598000", "created": "2024-05-09T03:11:27.622000", "tags": [ "ngioweb c", "sshdoor", "pawn storm", "old c", "historic c", "new c", "sshdoor mipsii", "edgerouter", "fixed port", "description", "storm", "ngioweb" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/d/cybercriminals-and-nation-states-sharing-compromised-networks/ioc-router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.txt", "https://www.trendmicro.com/en_us/research/24/e/router-roulette.html" ], "public": 1, "adversary": "Pawn Storm", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "66320d47fbc73ba632844202", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 15, "hostname": 22 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663f43c06ac04d73098438a6", "name": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "description": "", "modified": "2024-05-31T09:02:56.598000", "created": "2024-05-11T10:09:04.327000", "tags": [ "ngioweb c", "sshdoor", "pawn storm", "old c", "historic c", "new c", "sshdoor mipsii", "edgerouter", "fixed port", "description", "storm", "ngioweb" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/d/cybercriminals-and-nation-states-sharing-compromised-networks/ioc-router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.txt", "https://www.trendmicro.com/en_us/research/24/e/router-roulette.html" ], "public": 1, "adversary": "Pawn Storm", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "663c3edfdfb7353b19346f71", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 15, "hostname": 22 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "731 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.trendmicro.com/en_us/research/24/k/water-barghest.html", "https://www.trendmicro.com/en_us/research/24/e/router-roulette.html", "https://threatfox.abuse.ch/export/csv/recent/", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/d/cybercriminals-and-nation-states-sharing-compromised-networks/ioc-router-roulette-cybercriminals-and-nation-states-sharing-compromised-networks.txt", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/water-barghest/IOClist-Water_Barghest.txt", "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt" ], "related": { "alienvault": { "adversary": [ "Water Barghest", "APT28" ], "malware_families": [ "Ngioweb (windows)", "Sshdoor", "Ngioweb (elf)", "Ngioweb" ], "industries": [] }, "other": { "adversary": [ "Pawn Storm" ], "malware_families": [ "Ngioweb" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "673d0a283fc9a37bebd76dc6", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The ngioweb botnet serves as the foundation for the NSOCKS criminal proxy service, maintaining over 35,000 bots daily across 180 countries. The botnet primarily targets SOHO routers and IoT devices, with two-thirds of proxies based in the U.S. NSOCKS utilizes over 180 'backconnect' C2 nodes to obscure users' identities. The infrastructure enables various threat actors to create their own services and launch DDoS attacks. The botnet employs multiple exploits, targeting vulnerable devices and evading common security solutions. NSOCKS is notorious among criminal forums and has been used by groups like Muddled Libra. The service allows users to purchase proxies with cryptocurrency, offering features such as domain filtering for targeted use. The open nature of NSOCKS has led to its abuse by other actors, including DDoS attackers and other proxy services like Shopsocks5 and VN5Socks.", "modified": "2024-12-19T21:05:39.998000", "created": "2024-11-19T21:59:04.039000", "tags": [ "ddos", "proxy service", "nsocks", "soho routers", "botnet", "shopsocks5", "cybercrime", "iot devices", "vn5socks", "ngioweb" ], "references": [ "https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ngioweb", "display_name": "ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386763, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673b4d74f0567c0115bd2c97", "name": "Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices", "description": "Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. Once compromised, the Ngioweb malware is deployed, running in memory and connecting to command-and-control servers. The entire process, from initial infection to listing the device on a residential proxy marketplace, can take as little as 10 minutes. Water Barghest targets various IoT devices from brands like Cisco, DrayTek, and Zyxel, using both n-day vulnerabilities and at least one zero-day exploit. Their sophisticated operation has allowed them to maintain a low profile while generating steady income through their cybercriminal activities.", "modified": "2024-11-18T16:31:49.164000", "created": "2024-11-18T14:21:40.330000", "tags": [ "iot", "vulnerability exploitation", "residential proxy marketplace", "botnet", "proxy", "ngioweb" ], "references": [ "https://www.trendmicro.com/en_us/research/24/k/water-barghest.html" ], "public": 1, "adversary": "Water Barghest", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 45, "domain": 22, "FileHash-MD5": 15, "FileHash-SHA1": 15 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 386764, "modified_text": "560 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c5add7ed904b891e4b73b6", "name": "Ngioweb Proxy", "description": "This pulse contains IOCs related to Ngioweb Infrastructure. Additions are automatically added based on OTX sandboxed samples.", "modified": "2024-11-04T09:05:45.588000", "created": "2024-08-21T09:05:27.850000", "tags": [ "Ngioweb", "NSOCKS" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ngioweb (ELF)", "display_name": "Ngioweb (ELF)", "target": null }, { "id": "Ngioweb (Windows)", "display_name": "Ngioweb (Windows)", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "66c5aceea74b8dd28a7d16ff", "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 103, "hostname": 36, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 3 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 386761, "modified_text": "574 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b39de921cdfe8b6ebcc220", "name": "Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks", "description": "TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.", "modified": "2024-09-06T16:05:06.391000", "created": "2024-08-07T16:16:41.356000", "tags": [ "botnet", "routers", "espionage", "cybercrime", "ngioweb", "sshdoor", "proxy" ], "references": [], "public": 1, "adversary": "APT28", "targeted_countries": [], "malware_families": [ { "id": "SSHDoor", "display_name": "SSHDoor", "target": null }, { "id": "Ngioweb", "display_name": "Ngioweb", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1556", "name": "Modify Authentication Process", "display_name": "T1556 - Modify Authentication Process" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 229, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 27, "domain": 11, "hostname": 17 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 386767, "modified_text": "633 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67476e57c59e3d680bdd9e70", "name": "Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse", "description": "", "modified": "2024-12-28T00:01:55.115000", "created": "2024-11-27T19:09:10.839000", "tags": [ "classification", "cyber threat", "november", "time", "crypto cyber", "defence", "confidential", "domains", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 43, "domain": 26, "hostname": 3 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673dded7f40dd192014bfb8f", "name": "One Sock Fits All: The use and abuse of the NSOCKS botnet", "description": "The malware known as Ngioweb has been used to fuel a notorious residential proxy service called NSOCKS, as well as by other services such as VN5Socks and Shopsocks5, new findings from Lumen Technologies reveal.\n# Loader C2 Tier 2, which aims to identify and track users' IP addresses, has been launched by the Ministry of Defence (MoD) and the Russian Foreign Minister Sergei Lavrov.", "modified": "2024-12-20T13:04:00.850000", "created": "2024-11-20T13:06:31.364000", "tags": [ "active dga", "loader c2", "tier", "loader c2s", "bot c2s", "dns server", "c2s ips", "backconnect c2s" ], "references": [ "https://raw.githubusercontent.com/blacklotuslabs/IOCs/refs/heads/main/NSOCKS_IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "528 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673c91be07f436d9a5ff92af", "name": "Inside Water Barghest\u2019s Rapid Exploit-to-Market Strategy for IoT Devices", "description": "Inside Water Barghest\u2019s Rapid Exploit-to-Market Strategy for IoT Devices: A guide to the best ways to spot when a device is being targeted by cyber-thieves.", "modified": "2024-12-19T13:03:09.256000", "created": "2024-11-19T13:25:18.784000", "tags": [ "secondstage c", "scanner", "malware", "water barghest", "strategy", "domain name", "description", "historical", "files sha256", "c url" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/water-barghest/IOClist-Water_Barghest.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 43, "domain": 26, "hostname": 3 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "529 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "interocakate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "interocakate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780352286.9581919 }