{ "type": "Domain", "indicator": "iosjdfsmdkf.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/iosjdfsmdkf.com", "alexa": "http://www.alexa.com/siteinfo/iosjdfsmdkf.com", "indicator": "iosjdfsmdkf.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4054830009, "indicator": "iosjdfsmdkf.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67ef8546d1d9ef9cd8e91906", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation", "description": "The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.118000", "tags": [ "crm", "phishing", "coinbase", "cryptocurrency", "bulk email", "ledger", "seed phrase poisoning", "supply chain" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "PoisonSeed", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386907, "modified_text": "394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818a576d9c3eec75bbd99ab", "name": "PoisonSeed Phishing Campaign Exploits Wallet Seed Phrases in Targeted Email Attacks", "description": "The following is a full list of links and links from the 21st Century, which have been shared by the BBC, BBC and other sites.. and this is the full set of information.", "modified": "2025-06-04T11:00:42.004000", "created": "2025-05-05T11:48:06.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "363 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f86a1c7951763be9e06945", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation - Silent Push", "description": "The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The attackers compromise these platforms to extract email lists and disseminate cryptocurrency-themed spam. A notable tactic involves distributing fraudulent \"seed phrases\" to entice recipients into creating new cryptocurrency wallets, which are subsequently compromised by the threat actors. This campaign has impacted enterprise organizations and individuals outside the cryptocurrency sector, with links to known threat groups like Scattered Spider and CryptoChameleon.", "modified": "2025-05-11T01:04:31.743000", "created": "2025-04-11T01:02:20.821000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f423b6d7efd7b56a823f8d", "name": "PoisonSeed Campaign Hijacks CRM Systems to Spread Malicious Crypto Seed Phrases", "description": "A new malicious campaign, dubbed PoisonSeed, is exploiting stolen credentials from CRM platforms and bulk email services to send spam messages containing fake cryptocurrency seed phrases. The goal is to trick victims into importing these phrases into their digital wallets, allowing attackers to drain their funds.", "modified": "2025-05-07T18:02:38.028000", "created": "2025-04-07T19:12:54.433000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed", "https://www.silentpush.com/blog/poisonseed/", "IOC.pdf" ], "related": { "alienvault": { "adversary": [ "PoisonSeed" ], "malware_families": [], "industries": [ "Technology", "Finance" ] }, "other": { "adversary": [ "Multiple Threat Actors" ], "malware_families": [ "Poisonseed" ], "industries": [ "Cryptocurrency", "Crypto" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67ef8546d1d9ef9cd8e91906", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation", "description": "The PoisonSeed campaign is targeting enterprise organizations and individuals outside the cryptocurrency industry by phishing CRM and bulk email provider credentials. The attackers export email lists and send bulk spam from compromised accounts, primarily to support cryptocurrency spam operations. The campaign uses a novel cryptocurrency seed phrase poisoning attack, providing security seed phrases to trick victims into copying them into new cryptocurrency wallets for future compromise. While similarities exist with Scattered Spider and CryptoChameleon groups, PoisonSeed is currently classified separately due to unique characteristics. The campaign has targeted companies like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho, using sophisticated phishing techniques and automated processes to quickly exploit compromised accounts.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:07:50.118000", "tags": [ "crm", "phishing", "coinbase", "cryptocurrency", "bulk email", "ledger", "seed phrase poisoning", "supply chain" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "PoisonSeed", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386907, "modified_text": "394 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68409244750c4c3b0bbb7729", "name": "IOCs 2025 JAN-MAY", "description": "Latest IOCs emerged in 2025", "modified": "2025-07-04T18:05:18.397000", "created": "2025-06-04T18:36:51.684000", "tags": [], "references": [ "IOC.pdf" ], "public": 1, "adversary": "Multiple Threat Actors", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 15, "FileHash-MD5": 106, "FileHash-SHA1": 141, "FileHash-SHA256": 117, "domain": 128, "email": 2, "hostname": 12 }, "indicator_count": 521, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6818a576d9c3eec75bbd99ab", "name": "PoisonSeed Phishing Campaign Exploits Wallet Seed Phrases in Targeted Email Attacks", "description": "The following is a full list of links and links from the 21st Century, which have been shared by the BBC, BBC and other sites.. and this is the full set of information.", "modified": "2025-06-04T11:00:42.004000", "created": "2025-05-05T11:48:06.952000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "363 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f86a1c7951763be9e06945", "name": "PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation - Silent Push", "description": "The PoisonSeed campaign is a sophisticated phishing operation targeting CRM and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The attackers compromise these platforms to extract email lists and disseminate cryptocurrency-themed spam. A notable tactic involves distributing fraudulent \"seed phrases\" to entice recipients into creating new cryptocurrency wallets, which are subsequently compromised by the threat actors. This campaign has impacted enterprise organizations and individuals outside the cryptocurrency sector, with links to known threat groups like Scattered Spider and CryptoChameleon.", "modified": "2025-05-11T01:04:31.743000", "created": "2025-04-11T01:02:20.821000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/#Continuing-to-Track-PoisonSeed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f423b6d7efd7b56a823f8d", "name": "PoisonSeed Campaign Hijacks CRM Systems to Spread Malicious Crypto Seed Phrases", "description": "A new malicious campaign, dubbed PoisonSeed, is exploiting stolen credentials from CRM platforms and bulk email services to send spam messages containing fake cryptocurrency seed phrases. The goal is to trick victims into importing these phrases into their digital wallets, allowing attackers to drain their funds.", "modified": "2025-05-07T18:02:38.028000", "created": "2025-04-07T19:12:54.433000", "tags": [ "cryptochameleon", "poisonseed", "whois", "silent push", "march", "troy hunt", "state", "akamai sendgrid", "akamai", "coinbase", "upgrade", "april", "push", "click", "back" ], "references": [ "https://www.silentpush.com/blog/poisonseed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PoisonSeed", "display_name": "PoisonSeed", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 44 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "iosjdfsmdkf.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "iosjdfsmdkf.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780412715.4669576 }