{ "type": "Domain", "indicator": "issue.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/issue.net", "alexa": "http://www.alexa.com/siteinfo/issue.net", "indicator": "issue.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2140153050, "indicator": "issue.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "689f05dbdbe5f9b47eabe869", "name": "Threat Bulletin: Fire in the Woods \u2013 A New Variant of FireWood - Intezer", "description": "", "modified": "2025-08-15T10:03:07.198000", "created": "2025-08-15T10:03:07.198000", "tags": [ "intezer", "ai soc", "firewood", "triage soar", "webinars", "events news", "variant", "autonomous soc", "use cases", "resource center", "tour", "august", "malware", "virustotal", "february", "agent" ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689f05da4a9598f4dbfbb646", "name": "Threat Bulletin: Fire in the Woods \u2013 A New Variant of FireWood - Intezer", "description": "", "modified": "2025-08-15T10:03:06.803000", "created": "2025-08-15T10:03:06.803000", "tags": [ "intezer", "ai soc", "firewood", "triage soar", "webinars", "events news", "variant", "autonomous soc", "use cases", "resource center", "tour", "august", "malware", "virustotal", "february", "agent" ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "732 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc6dbf8ffd11f47a3cba53", "name": "Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT&'s Variant) - ASEC BLOG", "description": "Nood RAT is a variant of the Gh0st remote control malware developed by the C. Rufus Security Team of China, which has been used in a number of vulnerability attacks.", "modified": "2024-03-27T10:00:23.704000", "created": "2024-02-26T10:53:51.224000", "tags": [ "nood rat", "gh0st rat", "linux", "c server", "key type", "rc4 algorithm", "rc4 key", "asec", "nood", "mssql", "cloud snooper", "korean", "rocke", "path", "format", "date", "gh0st", "overview gh0st", "linux nood" ], "references": [ "https://asec.ahnlab.com/en/62144/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Overview Gh0st", "display_name": "Overview Gh0st", "target": null }, { "id": "Cloud Snooper", "display_name": "Cloud Snooper", "target": null }, { "id": "Linux Nood", "display_name": "Linux Nood", "target": null }, { "id": "Nood RAT", "display_name": "Nood RAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Gh0st", "display_name": "Gh0st", "target": null }, { "id": "Nood", "display_name": "Nood", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 13, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 16, "domain": 1, "hostname": 5 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/", "https://asec.ahnlab.com/en/62144/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Linux nood", "Cloud snooper", "Nood rat", "Linux", "Gh0st", "Nood", "Overview gh0st" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "689f05dbdbe5f9b47eabe869", "name": "Threat Bulletin: Fire in the Woods \u2013 A New Variant of FireWood - Intezer", "description": "", "modified": "2025-08-15T10:03:07.198000", "created": "2025-08-15T10:03:07.198000", "tags": [ "intezer", "ai soc", "firewood", "triage soar", "webinars", "events news", "variant", "autonomous soc", "use cases", "resource center", "tour", "august", "malware", "virustotal", "february", "agent" ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689f05da4a9598f4dbfbb646", "name": "Threat Bulletin: Fire in the Woods \u2013 A New Variant of FireWood - Intezer", "description": "", "modified": "2025-08-15T10:03:06.803000", "created": "2025-08-15T10:03:06.803000", "tags": [ "intezer", "ai soc", "firewood", "triage soar", "webinars", "events news", "variant", "autonomous soc", "use cases", "resource center", "tour", "august", "malware", "virustotal", "february", "agent" ], "references": [ "https://intezer.com/blog/threat-bulletin-firewood/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "291 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6659ea571eab262a3942e77c", "name": "system.img - Unidentified Android Ext4 filesystem pulled from my machine", "description": "Honestly I can't recall where I fished this out of, but I had stashed it on a cloud storage drive for later exploitation, which is what this is. At current, I don't have the slightest clue what it is or what it was doing on my computer. But with majority of the */bin/ files coming back as symlinks to */bin/toybox I'm assuming it's nothing that'd enhance my day to day life for the better. Standby for further analysis. At current these are just the SHA256's of the filesystem itself.", "modified": "2024-05-31T15:18:47.112000", "created": "2024-05-31T15:18:47.112000", "tags": [ "mntdevfb0", "mntdevhda1", "mntdevhda3", "mntdevkmem", "mntdevmem", "mntdevmmcblk0p1", "mntdevmmcblk0p3", "mntdevmtd0", "mntdevmtd2", "mntdevmtd4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1991, "domain": 70 }, "indicator_count": 2063, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "732 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dc6dbf8ffd11f47a3cba53", "name": "Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT&'s Variant) - ASEC BLOG", "description": "Nood RAT is a variant of the Gh0st remote control malware developed by the C. Rufus Security Team of China, which has been used in a number of vulnerability attacks.", "modified": "2024-03-27T10:00:23.704000", "created": "2024-02-26T10:53:51.224000", "tags": [ "nood rat", "gh0st rat", "linux", "c server", "key type", "rc4 algorithm", "rc4 key", "asec", "nood", "mssql", "cloud snooper", "korean", "rocke", "path", "format", "date", "gh0st", "overview gh0st", "linux nood" ], "references": [ "https://asec.ahnlab.com/en/62144/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Overview Gh0st", "display_name": "Overview Gh0st", "target": null }, { "id": "Cloud Snooper", "display_name": "Cloud Snooper", "target": null }, { "id": "Linux Nood", "display_name": "Linux Nood", "target": null }, { "id": "Nood RAT", "display_name": "Nood RAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Gh0st", "display_name": "Gh0st", "target": null }, { "id": "Nood", "display_name": "Nood", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 13, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 16, "domain": 1, "hostname": 5 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "797 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "issue.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "issue.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780461620.1387799 }