{ "type": "Domain", "indicator": "ios-deviceprotect.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ios-deviceprotect.com", "alexa": "http://www.alexa.com/siteinfo/ios-deviceprotect.com", "indicator": "ios-deviceprotect.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4300856290, "indicator": "ios-deviceprotect.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69d6a7cc78297c29949500de", "name": "Canis C2 Exposed: Previously Undocumented Cross-Platform ...", "description": "On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.", "modified": "2026-04-09T17:44:40.619000", "created": "2026-04-08T19:09:00.202000", "tags": [ "phishing", "canis", "cross platform", "browser", "infostealer" ], "references": [ "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a026d1302c9455055c93776", "name": "hdsaljlkdldjlksjalkjlksdajlkdas", "description": "", "modified": "2026-05-11T23:58:11.141000", "created": "2026-05-11T23:58:11.141000", "tags": [ "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 953, "FileHash-MD5": 151, "FileHash-SHA1": 50, "FileHash-SHA256": 54, "IPv4": 858, "domain": 214, "hostname": 559 }, "indicator_count": 2839, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d806f2194b5961840e0ca1", "name": "Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan", "description": "On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.", "modified": "2026-04-09T20:09:07.532000", "created": "2026-04-09T20:07:14.955000", "tags": [ "phishing", "canis", "cross platform", "browser", "infostealer" ], "references": [ "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "69d6a7cc78297c29949500de", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "51 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan", "IOCs.April.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69d6a7cc78297c29949500de", "name": "Canis C2 Exposed: Previously Undocumented Cross-Platform ...", "description": "On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.", "modified": "2026-04-09T17:44:40.619000", "created": "2026-04-08T19:09:00.202000", "tags": [ "phishing", "canis", "cross platform", "browser", "infostealer" ], "references": [ "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "51 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c5f7aa93975cc28fa3ca", "name": "EbeeApril2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-16T11:03:51.843000", "created": "2026-04-16T11:20:23.973000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "ASO RAT, REFUNDEE, NightSpire Ransomware, Fake Claude site installs malware, MiniDionis, Canis C2", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 6, "FileHash-MD5": 161, "FileHash-SHA1": 152, "FileHash-SHA256": 100, "URL": 110, "domain": 104, "email": 4, "hostname": 76 }, "indicator_count": 714, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a026d1302c9455055c93776", "name": "hdsaljlkdldjlksjalkjlksdajlkdas", "description": "", "modified": "2026-05-11T23:58:11.141000", "created": "2026-05-11T23:58:11.141000", "tags": [ "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 953, "FileHash-MD5": 151, "FileHash-SHA1": 50, "FileHash-SHA256": 54, "IPv4": 858, "domain": 214, "hostname": 559 }, "indicator_count": 2839, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d806f2194b5961840e0ca1", "name": "Canis C2 Exposed: Previously Undocumented Cross-Platform Surveillance Framework Targeting Japan", "description": "On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.", "modified": "2026-04-09T20:09:07.532000", "created": "2026-04-09T20:07:14.955000", "tags": [ "phishing", "canis", "cross platform", "browser", "infostealer" ], "references": [ "https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": "69d6a7cc78297c29949500de", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 2, "URL": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "51 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ios-deviceprotect.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ios-deviceprotect.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780192296.621582 }