{ "type": "Domain", "indicator": "ironshieldsecurity.space", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/ironshieldsecurity.space", "alexa": "http://www.alexa.com/siteinfo/ironshieldsecurity.space", "indicator": "ironshieldsecurity.space", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4278920957, "indicator": "ironshieldsecurity.space", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c11a7af2eef3b40ceb6e31", "name": "Head Mare campaign with PhantomPxPigeon backdoor and infected TrueConf software installation files", "description": "In February 2026, a campaign attributed to the Head Mare group began targeting educational and scientific institutions, alongside organizations in the energy sector across Russia. This malicious activity was active since at least December 2025, utilizing an attack vector that involved deceptive video conference invitations. Victims who clicked on the invitation links were instructed to install a service to join the video call, which inadvertently led to the installation of a new backdoor identified as PhantomPxPigeon on their systems.", "modified": "2026-03-23T10:48:26.039000", "created": "2026-03-23T10:48:26.039000", "tags": [ "head mare", "trueconf", "detection", "response expert", "kaspersky", "head", "mare", "phantompxpigeon", "bdu202510116", "kedr expert", "edr expert" ], "references": [ "https://securelist.ru/head-mare-campaign-phantompxpigeon-backdoor-and-trueconf-software/114998/" ], "public": 1, "adversary": "Head Mare", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Education", "Transportation", "Energy", "Science" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "domain": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.pdf", "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/", "https://securelist.ru/head-mare-campaign-phantompxpigeon-backdoor-and-trueconf-software/114998/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Head Mare", "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana" ], "malware_families": [ "Ps.phatnomlatch", "Win64.phantomsscp" ], "industries": [ "Transportation", "Education", "Science", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd44f15d660f597a2596b4", "name": "EbeeMar2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:16:49.921000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "DTO malware, GoPix banking Trojan, SERPENTINE#CLOUD, FAUX#ELEVATE, Katana", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 84, "CIDR": 1, "CVE": 9, "FileHash-MD5": 178, "FileHash-SHA1": 146, "FileHash-SHA256": 274, "domain": 106, "email": 2, "hostname": 103 }, "indicator_count": 903, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c11a7af2eef3b40ceb6e31", "name": "Head Mare campaign with PhantomPxPigeon backdoor and infected TrueConf software installation files", "description": "In February 2026, a campaign attributed to the Head Mare group began targeting educational and scientific institutions, alongside organizations in the energy sector across Russia. This malicious activity was active since at least December 2025, utilizing an attack vector that involved deceptive video conference invitations. Victims who clicked on the invitation links were instructed to install a service to join the video call, which inadvertently led to the installation of a new backdoor identified as PhantomPxPigeon on their systems.", "modified": "2026-03-23T10:48:26.039000", "created": "2026-03-23T10:48:26.039000", "tags": [ "head mare", "trueconf", "detection", "response expert", "kaspersky", "head", "mare", "phantompxpigeon", "bdu202510116", "kedr expert", "edr expert" ], "references": [ "https://securelist.ru/head-mare-campaign-phantompxpigeon-backdoor-and-trueconf-software/114998/" ], "public": 1, "adversary": "Head Mare", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Education", "Transportation", "Energy", "Science" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "domain": 2 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "68 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ironshieldsecurity.space", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "ironshieldsecurity.space", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780214635.440576 }