{ "type": "Domain", "indicator": "jaagnet.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jaagnet.com", "alexa": "http://www.alexa.com/siteinfo/jaagnet.com", "indicator": "jaagnet.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4067134609, "indicator": "jaagnet.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "6870355e6a5f2386068698a0", "name": "Deploying NetSupport RAT via WordPress & ClickFix", "description": "A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.", "modified": "2025-08-09T21:02:57.163000", "created": "2025-07-10T21:49:18.095000", "tags": [ "post-exploitation", "netsupport rat", "fake captcha", "dom manipulation", "phishing", "wordpress", "remote access" ], "references": [ "https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [ "Moldova, Republic of" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386796, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d47764f2270074641b9efa", "name": "clone urlhaus 23may CREATED 11 MONTHS AGO MODIFIED 2 MONTHS AGO by skocherhan Public TLP: Green REFERENCE: https://urlhaus.abuse.ch/downloads/json_online/", "description": "", "modified": "2026-04-07T03:17:56.739000", "created": "2026-04-07T03:17:56.739000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "682fec831be07e4fdf69fe47", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682fec831be07e4fdf69fe47", "name": "urlhaus 23may", "description": "", "modified": "2026-02-09T00:10:22.199000", "created": "2025-05-23T03:33:23.189000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6875e1d18dcc8adf0bda76c2", "name": "Deploying NetSupport RAT via WordPress & ClickFix", "description": "", "modified": "2025-08-09T21:02:57.163000", "created": "2025-07-15T05:06:25.809000", "tags": [ "post-exploitation", "netsupport rat", "fake captcha", "dom manipulation", "phishing", "wordpress", "remote access" ], "references": [ "https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [ "Moldova, Republic of" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6870355e6a5f2386068698a0", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686c8a881b3707894eedd2b0", "name": "Malicious NetSupport Campaign Exploits WordPress Sites and User Clipboard", "description": "", "modified": "2025-08-07T03:01:17.019000", "created": "2025-07-08T03:03:35.832000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ea15bc94854a8a1a75594", "name": "URLHaus data - 09-05-2025", "description": "", "modified": "2025-06-09T00:01:38.726000", "created": "2025-05-10T00:44:11.612000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "SocGholish", "censys", "CobaltStrike", "backdoor", "sshdkit", "hajime", "ascii", "Encoded", "rat", "RemcosRAT", "rev-base64-loader", "powershell", "ps1", "opendir", "MassLogger", "AgentTesla", "2025", "password", "zip", "xworm", "encrypted", "GuLoader", "NetSupport", "NetSupportRAT", "WsgiDAV", "remcos", "Arechclient2", "CoinMiner", "config", "json", "ua-wget", "xml", "jar", "kinsing", "sh", "exe", "botnetdomain", "Kimsuky", "linux", "malware", "dcrat", "connectwise", "screenconnect" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 794, "hostname": 10, "domain": 33 }, "indicator_count": 837, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://urlhaus.abuse.ch/browse/", "https://urlhaus.abuse.ch/downloads/json_online/", "https://threatfox.abuse.ch/export/csv/recent/", "https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Netsupport rat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Netsupport rat" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "6870355e6a5f2386068698a0", "name": "Deploying NetSupport RAT via WordPress & ClickFix", "description": "A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that downloads and executes NetSupport Client files. Post-infection, the attacker uses NetSupport's features for reconnaissance and further exploitation. The attack utilizes various JavaScript files and DOM manipulation techniques to evade detection. Multiple IP addresses and domains associated with the attack infrastructure have been identified, primarily linked to hosting providers in Moldova.", "modified": "2025-08-09T21:02:57.163000", "created": "2025-07-10T21:49:18.095000", "tags": [ "post-exploitation", "netsupport rat", "fake captcha", "dom manipulation", "phishing", "wordpress", "remote access" ], "references": [ "https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [ "Moldova, Republic of" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386796, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d47764f2270074641b9efa", "name": "clone urlhaus 23may CREATED 11 MONTHS AGO MODIFIED 2 MONTHS AGO by skocherhan Public TLP: Green REFERENCE: https://urlhaus.abuse.ch/downloads/json_online/", "description": "", "modified": "2026-04-07T03:17:56.739000", "created": "2026-04-07T03:17:56.739000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "682fec831be07e4fdf69fe47", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "56 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683202092d4ff2099430b6d3", "name": "urlhaus 30days", "description": "", "modified": "2026-02-09T00:11:12.303000", "created": "2025-05-24T17:29:45.368000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 61, "FileHash-SHA1": 4, "FileHash-SHA256": 31, "URL": 28057, "domain": 435, "hostname": 423 }, "indicator_count": 29011, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682fec831be07e4fdf69fe47", "name": "urlhaus 23may", "description": "", "modified": "2026-02-09T00:10:22.199000", "created": "2025-05-23T03:33:23.189000", "tags": [], "references": [ "https://urlhaus.abuse.ch/downloads/json_online/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 16, "FileHash-SHA256": 1, "CVE": 11, "URL": 12396, "domain": 433, "hostname": 572 }, "indicator_count": 13458, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6875e1d18dcc8adf0bda76c2", "name": "Deploying NetSupport RAT via WordPress & ClickFix", "description": "", "modified": "2025-08-09T21:02:57.163000", "created": "2025-07-15T05:06:25.809000", "tags": [ "post-exploitation", "netsupport rat", "fake captcha", "dom manipulation", "phishing", "wordpress", "remote access" ], "references": [ "https://www.cybereason.com/blog/net-support-rat-wordpress-clickfix/" ], "public": 1, "adversary": "", "targeted_countries": [ "Moldova, Republic of" ], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": "6870355e6a5f2386068698a0", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "686c8a881b3707894eedd2b0", "name": "Malicious NetSupport Campaign Exploits WordPress Sites and User Clipboard", "description": "", "modified": "2025-08-07T03:01:17.019000", "created": "2025-07-08T03:03:35.832000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 6, "FileHash-SHA1": 3, "FileHash-SHA256": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "299 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681ea15bc94854a8a1a75594", "name": "URLHaus data - 09-05-2025", "description": "", "modified": "2025-06-09T00:01:38.726000", "created": "2025-05-10T00:44:11.612000", "tags": [ "ClearFake", "32-bit", "elf", "mips", "Mozi", "arm", "mirai", "SocGholish", "censys", "CobaltStrike", "backdoor", "sshdkit", "hajime", "ascii", "Encoded", "rat", "RemcosRAT", "rev-base64-loader", "powershell", "ps1", "opendir", "MassLogger", "AgentTesla", "2025", "password", "zip", "xworm", "encrypted", "GuLoader", "NetSupport", "NetSupportRAT", "WsgiDAV", "remcos", "Arechclient2", "CoinMiner", "config", "json", "ua-wget", "xml", "jar", "kinsing", "sh", "exe", "botnetdomain", "Kimsuky", "linux", "malware", "dcrat", "connectwise", "screenconnect" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 794, "hostname": 10, "domain": 33 }, "indicator_count": 837, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jaagnet.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jaagnet.com", "found": true, "verdict": "malicious", "url_count": 4, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://jaagnet.com/ksps.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] }, { "url": "https://jaagnet.com/rara.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] }, { "url": "https://jaagnet.com/raks.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] }, { "url": "https://jaagnet.com/osos.zip", "status": "offline", "threat": "malware_download", "date_added": "2025-05-09", "tags": [ "NetSupport" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780370443.466752 }