{ "type": "Domain", "indicator": "itter.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/itter.com", "alexa": "http://www.alexa.com/siteinfo/itter.com", "indicator": "itter.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3179118657, "indicator": "itter.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 20, "pulses": [ { "id": "663b5f7e5b2287dec38a1b3b", "name": "Code Emulation and Cybercrime Infrastructure Discovery", "description": "This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various malicious activities, including the SocGholish malware. The report highlights how exploring the infrastructure behind these threats can reveal interconnected cybercrime operations and enable proactive defense.", "modified": "2024-06-07T11:05:52.899000", "created": "2024-05-08T11:18:22.640000", "tags": [ "ransomware", "socgholish", "stealer", "matanbuchus", "loader", "emulation", "bulletproof" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1578.004", "name": "Revert Cloud Instance", "display_name": "T1578.004 - Revert Cloud Instance" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 367, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 8, "domain": 41, "hostname": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386751, "modified_text": "724 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2bee5c7200ce4af4593b", "name": "Reconnaissance | Network Attack CREATED 9 MONTHS AGO MODIFIED 8 MONTHS AGO by Q.Vashti credit", "description": "", "modified": "2026-05-14T02:04:19.615000", "created": "2026-04-03T02:54:38.204000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "6874a4e3316a973129ded267", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 533, "FileHash-SHA256": 276, "URL": 2159, "FileHash-MD5": 33, "FileHash-SHA1": 49 }, "indicator_count": 3335, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2bee5726541dfad53a2b", "name": "Reconnaissance | Network Attack CREATED 9 MONTHS AGO MODIFIED 8 MONTHS AGO by Q.Vashti credit", "description": "", "modified": "2026-04-03T02:54:38.075000", "created": "2026-04-03T02:54:38.075000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "6874a4e3316a973129ded267", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 527, "FileHash-SHA256": 254, "URL": 2157, "FileHash-MD5": 30, "FileHash-SHA1": 46 }, "indicator_count": 3299, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874a4e3316a973129ded267", "name": "Reconnaissance | Network Attack", "description": "", "modified": "2025-08-13T06:00:10.383000", "created": "2025-07-14T06:34:11.063000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 527, "FileHash-SHA256": 254, "URL": 2157, "FileHash-MD5": 30, "FileHash-SHA1": 46 }, "indicator_count": 3299, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66793cfdd0912f422ef254fd", "name": "Code Emulation and Cybercrime Infrastructure Discovery", "description": "", "modified": "2024-06-24T09:31:41.586000", "created": "2024-06-24T09:31:41.586000", "tags": [ "ransomware", "socgholish", "stealer", "matanbuchus", "loader", "emulation", "bulletproof" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1578.004", "name": "Revert Cloud Instance", "display_name": "T1578.004 - Revert Cloud Instance" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [], "TLP": "white", "cloned_from": "664ae081cddfb534f4bd4c41", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 8, "domain": 41, "hostname": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "707 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ae081cddfb534f4bd4c41", "name": "Code Emulation and Cybercrime Infrastructure Discovery", "description": "", "modified": "2024-06-07T11:05:52.899000", "created": "2024-05-20T05:32:49.374000", "tags": [ "ransomware", "socgholish", "stealer", "matanbuchus", "loader", "emulation", "bulletproof" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1578.004", "name": "Revert Cloud Instance", "display_name": "T1578.004 - Revert Cloud Instance" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [], "TLP": "white", "cloned_from": "663b5f7e5b2287dec38a1b3b", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 8, "domain": 41, "hostname": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "724 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570919f567f88c3b2dd75c6", "name": "twitter.com/FLDEO", "description": "", "modified": "2023-12-06T15:22:07.801000", "created": "2023-12-06T15:22:07.801000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1186, "hostname": 229, "domain": 132, "URL": 778, "CIDR": 4, "FileHash-MD5": 18 }, "indicator_count": 2347, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708431101fabb9bba6f2ca", "name": "twitter.com.sncfconnect.", "description": "", "modified": "2023-12-06T14:24:49.902000", "created": "2023-12-06T14:24:49.902000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1184, "hostname": 190, "domain": 134, "URL": 718, "CIDR": 4, "FileHash-MD5": 18 }, "indicator_count": 2248, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "908 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6301258dab13367def6afe59", "name": "twitter.com/FLDEO", "description": "", "modified": "2022-09-19T00:10:46.535000", "created": "2022-08-20T18:18:53.836000", "tags": [ "Ransomware" ], "references": [ "twitter.com:FLDEO.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 778, "hostname": 229, "domain": 132, "FileHash-SHA256": 1186, "CIDR": 4, "FileHash-MD5": 18 }, "indicator_count": 2347, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6265b46fa4125c452cc9ec82", "name": "mobile.twitter my login pg source-code", "description": "", "modified": "2022-04-24T20:35:20.998000", "created": "2022-04-24T20:34:55.626000", "tags": [], "references": [ "web inspector mobile twitter com %2Fhome.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 47, "URL": 190, "hostname": 73, "domain": 33, "FileHash-MD5": 2 }, "indicator_count": 345, "is_author": false, "is_subscribing": null, "subscriber_count": 393, "modified_text": "1498 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "623b7742f9f6816daa04b271", "name": "www.apple.com:legal:internet-services:icloud:ww:%22,", "description": "", "modified": "2022-04-22T00:03:50.614000", "created": "2022-03-23T19:38:42.403000", "tags": [], "references": [ "www.apple.com:legal:internet-services:icloud:ww:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 379, "hostname": 98, "domain": 32, "FileHash-SHA256": 239, "CIDR": 2, "FileHash-MD5": 3 }, "indicator_count": 753, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231bc3c0122bd71a988146c", "name": "www.apple.com:legal:internet-services:icloud:ww:%22,", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T10:30:20.308000", "tags": [], "references": [ "www.apple.com:legal:internet-services:icloud:ww:%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 380, "hostname": 95, "domain": 32, "FileHash-SHA256": 239, "CIDR": 2, "FileHash-MD5": 3 }, "indicator_count": 751, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62323a059dd86f43416f9a4b", "name": "twitter.com.sncfconnect.", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T19:27:01.465000", "tags": [], "references": [ "twitter.com.sncfconnect.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 718, "hostname": 190, "domain": 134, "FileHash-SHA256": 1184, "CIDR": 4, "FileHash-MD5": 18 }, "indicator_count": 2248, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231ed83165843ba644da050", "name": "countyofventura.org", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T14:00:35.694000", "tags": [], "references": [ "countyofventura.org.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 154, "URL": 724, "domain": 75, "FileHash-SHA256": 117, "CIDR": 2, "FileHash-MD5": 23, "FileHash-SHA1": 1 }, "indicator_count": 1096, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "twitter.com:FLDEO.pdf", "countyofventura.org.pdf", "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf", "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf", "twitter.com.sncfconnect.pdf", "www.apple.com:legal:internet-services:icloud:ww:%22,.pdf", "web inspector mobile twitter com %2Fhome.pdf" ], "related": { "alienvault": { "adversary": [ "TA577" ], "malware_families": [ "Matanbuchus", "Socgholish" ], "industries": [] }, "other": { "adversary": [ "TA577", "ShadowSyndicate" ], "malware_families": [ "Matanbuchus", "Ransom:win32/wannaren.a", "Socgholish" ], "industries": [ "Finance", "Logistic", "Healthcare", "Government", "Entertaiment", "Telecommunications", "Petroleum", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 20, "pulses": [ { "id": "663b5f7e5b2287dec38a1b3b", "name": "Code Emulation and Cybercrime Infrastructure Discovery", "description": "This report details the analysis of a malspam campaign utilizing the Matanbuchus loader, which involved decrypting strings within the malware through emulation techniques. The investigation pivoted to uncover a Russian bulletproof hosting service, Proton66 OOO, that currently hosts various malicious activities, including the SocGholish malware. The report highlights how exploring the infrastructure behind these threats can reveal interconnected cybercrime operations and enable proactive defense.", "modified": "2024-06-07T11:05:52.899000", "created": "2024-05-08T11:18:22.640000", "tags": [ "ransomware", "socgholish", "stealer", "matanbuchus", "loader", "emulation", "bulletproof" ], "references": [ "https://www.intrinsec.com/wp-content/uploads/2024/04/TLP-CLEAR-Matanbuchus-Co-Code-Emulation-and-Cybercrime-Infrastructure-Discovery-1.pdf" ], "public": 1, "adversary": "TA577", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1578.004", "name": "Revert Cloud Instance", "display_name": "T1578.004 - Revert Cloud Instance" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027.005", "name": "Indicator Removal from Tools", "display_name": "T1027.005 - Indicator Removal from Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1591.001", "name": "Determine Physical Locations", "display_name": "T1591.001 - Determine Physical Locations" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 367, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 8, "domain": 41, "hostname": 10 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 386751, "modified_text": "724 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2bee5c7200ce4af4593b", "name": "Reconnaissance | Network Attack CREATED 9 MONTHS AGO MODIFIED 8 MONTHS AGO by Q.Vashti credit", "description": "", "modified": "2026-05-14T02:04:19.615000", "created": "2026-04-03T02:54:38.204000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "6874a4e3316a973129ded267", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 533, "FileHash-SHA256": 276, "URL": 2159, "FileHash-MD5": 33, "FileHash-SHA1": 49 }, "indicator_count": 3335, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2bee5726541dfad53a2b", "name": "Reconnaissance | Network Attack CREATED 9 MONTHS AGO MODIFIED 8 MONTHS AGO by Q.Vashti credit", "description": "", "modified": "2026-04-03T02:54:38.075000", "created": "2026-04-03T02:54:38.075000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "6874a4e3316a973129ded267", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 527, "FileHash-SHA256": 254, "URL": 2157, "FileHash-MD5": 30, "FileHash-SHA1": 46 }, "indicator_count": 3299, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "59 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688e34f75fa052ff5a9fbb4d", "name": "Shadow syndicate infrastructure illumination", "description": "ShadowSyndicate has emerged as a notable threat actor in the ransomware-as-a-service (RaaS) landscape, utilizing a sophisticated network primarily based in Europe and allegedly operated from Russia. This group has been linked to prominent ransomware families such as Lockbit and Cl0p, characterized by a consistent Secure Shell (SSH) fingerprint across their servers that enhances their operational security and resilience against law enforcement. The group demonstrates connections to state-sponsored actors from China and North Korea, employing tactics that blend ransomware deployment with information manipulation strategies, particularly in socio-political contexts, including hack-and-leak operations targeting political figures during sensitive events like U.S. elections.", "modified": "2025-09-01T15:02:58.791000", "created": "2025-08-02T15:55:35.485000", "tags": [], "references": [ "https://www.intrinsec.com/wp-content/uploads/2025/08/TLP-CLEAR-31072025-ShadowSyndicate-infrastructure-illumination-EN-1.pdf" ], "public": 1, "adversary": "ShadowSyndicate", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" } ], "industries": [ "Finance", "military", "Logistic", "Government", "Petroleum", "entertaiment", "Healthcare", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 25, "CVE": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "URL": 11, "domain": 68, "email": 21, "hostname": 18 }, "indicator_count": 154, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6874a4e3316a973129ded267", "name": "Reconnaissance | Network Attack", "description": "", "modified": "2025-08-13T06:00:10.383000", "created": "2025-07-14T06:34:11.063000", "tags": [ "united", "unknown aaaa", "status", "search", "servers", "ip address", "domain", "creation date", "emails", "date", "passive dns", "urls", "registrar", "hostname add", "pulse submit", "url analysis", "files", "files ip", "united kingdom", "unknown ns", "entries", "domain add", "utc na", "utc google", "tag manager", "gb3ys36jk1z", "utc gtm5829vrt", "utc gtmk5dxr7", "utc linkedin", "insight tag", "secure", "samesitenone", "path", "expiresthu", "pragma", "expires 1", "secchuaarch", "secchuamodel", "sameorigin", "connection", "sha256", "submitted", "focus ip", "appdetex", "thumbprint", "extraction", "data upload", "sc data", "type", "extr", "include review", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "window memory", "extra window", "pattern match", "blue shield", "file", "colorado", "runtime process", "copy md5", "copy sha1", "copy sha256", "program", "service", "span", "footer", "body", "find", "meta", "back", "mental", "download", "main", "iframe", "tips", "hybrid", "general", "local", "format", "click", "strings", "cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 282, "email": 3, "hostname": 527, "FileHash-SHA256": 254, "URL": 2157, "FileHash-MD5": 30, "FileHash-SHA1": 46 }, "indicator_count": 3299, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "292 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "669 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "itter.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "itter.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780345958.1707814 }