{ "type": "Domain", "indicator": "jquerylib-min.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jquerylib-min.net", "alexa": "http://www.alexa.com/siteinfo/jquerylib-min.net", "indicator": "jquerylib-min.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2688812876, "indicator": "jquerylib-min.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "678fe4d214e88c02cc2cc2d5", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware delivery URLs, and SSL certificates, which can reveal connections between seemingly unrelated infrastructure. The approach involves training a graph neural network classifier on these relationships to identify new malicious domains and infrastructure. Three case studies are presented, highlighting the effectiveness of this approach in uncovering large-scale phishing campaigns targeting postal services, financial institutions, and web skimmer operations.", "modified": "2025-02-20T18:01:56.176000", "created": "2025-01-21T18:17:54.975000", "tags": [ "phishing", "automation", "malicious domains", "graph neural networks", "skimmer", "aranuk/carbanak" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "Squeamish Libra", "targeted_countries": [ "United States of America", "Canada", "Israel", "British Indian Ocean Territory", "India", "Pakistan", "United Kingdom of Great Britain and Northern Ireland", "Spain", "Korea, Democratic People's Republic of", "Korea, Republic of", "Singapore", "Australia", "Ireland", "United Kingdom of Great Britain and Northern Ireland", "Dominican Republic", "Mexico", "Italy", "Germany", "Greece", "South Africa", "Kenya", "Thailand", "Switzerland" ], "malware_families": [ { "id": "Aranuk/Carbanak", "display_name": "Aranuk/Carbanak", "target": null } ], "attack_ids": [ { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84567, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 90, "hostname": 12 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 386518, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790b6d6c2d107b0f1c5d2ec", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "", "modified": "2025-02-20T18:01:56.176000", "created": "2025-01-22T09:13:58.970000", "tags": [ "phishing", "automation", "malicious domains", "graph neural networks", "skimmer", "aranuk/carbanak" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "Squeamish Libra", "targeted_countries": [ "United States of America", "Canada", "Israel", "British Indian Ocean Territory", "India", "Pakistan", "United Kingdom of Great Britain and Northern Ireland", "Spain", "Korea, Democratic People's Republic of", "Korea, Republic of", "Singapore", "Australia", "Ireland", "United Kingdom of Great Britain and Northern Ireland", "Dominican Republic", "Mexico", "Italy", "Germany", "Greece", "South Africa", "Kenya", "Thailand", "Switzerland" ], "malware_families": [ { "id": "Aranuk/Carbanak", "display_name": "Aranuk/Carbanak", "target": null } ], "attack_ids": [ { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "678fe4d214e88c02cc2cc2d5", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 90, "hostname": 12 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6787c44e6e457168732a5383", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "", "modified": "2025-02-14T14:00:18.165000", "created": "2025-01-15T14:21:02.888000", "tags": [ "unit", "https", "ip address", "figure", "networks", "fin7", "palo alto", "libra", "prolific puma", "gnn approach", "june", "alliance", "malware", "ukraine", "raid", "service", "august", "click", "beyond" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "domain": 95, "hostname": 14 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "related": { "alienvault": { "adversary": [ "Squeamish Libra" ], "malware_families": [ "Aranuk/carbanak" ], "industries": [] }, "other": { "adversary": [ "Squeamish Libra" ], "malware_families": [ "Aranuk/carbanak" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "678fe4d214e88c02cc2cc2d5", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware delivery URLs, and SSL certificates, which can reveal connections between seemingly unrelated infrastructure. The approach involves training a graph neural network classifier on these relationships to identify new malicious domains and infrastructure. Three case studies are presented, highlighting the effectiveness of this approach in uncovering large-scale phishing campaigns targeting postal services, financial institutions, and web skimmer operations.", "modified": "2025-02-20T18:01:56.176000", "created": "2025-01-21T18:17:54.975000", "tags": [ "phishing", "automation", "malicious domains", "graph neural networks", "skimmer", "aranuk/carbanak" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "Squeamish Libra", "targeted_countries": [ "United States of America", "Canada", "Israel", "British Indian Ocean Territory", "India", "Pakistan", "United Kingdom of Great Britain and Northern Ireland", "Spain", "Korea, Democratic People's Republic of", "Korea, Republic of", "Singapore", "Australia", "Ireland", "United Kingdom of Great Britain and Northern Ireland", "Dominican Republic", "Mexico", "Italy", "Germany", "Greece", "South Africa", "Kenya", "Thailand", "Switzerland" ], "malware_families": [ { "id": "Aranuk/Carbanak", "display_name": "Aranuk/Carbanak", "target": null } ], "attack_ids": [ { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84567, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 90, "hostname": 12 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 386518, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "106 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6790b6d6c2d107b0f1c5d2ec", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "", "modified": "2025-02-20T18:01:56.176000", "created": "2025-01-22T09:13:58.970000", "tags": [ "phishing", "automation", "malicious domains", "graph neural networks", "skimmer", "aranuk/carbanak" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "Squeamish Libra", "targeted_countries": [ "United States of America", "Canada", "Israel", "British Indian Ocean Territory", "India", "Pakistan", "United Kingdom of Great Britain and Northern Ireland", "Spain", "Korea, Democratic People's Republic of", "Korea, Republic of", "Singapore", "Australia", "Ireland", "United Kingdom of Great Britain and Northern Ireland", "Dominican Republic", "Mexico", "Italy", "Germany", "Greece", "South Africa", "Kenya", "Thailand", "Switzerland" ], "malware_families": [ { "id": "Aranuk/Carbanak", "display_name": "Aranuk/Carbanak", "target": null } ], "attack_ids": [ { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1557.002", "name": "ARP Cache Poisoning", "display_name": "T1557.002 - ARP Cache Poisoning" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [], "TLP": "white", "cloned_from": "678fe4d214e88c02cc2cc2d5", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 90, "hostname": 12 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6787c44e6e457168732a5383", "name": "One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks", "description": "", "modified": "2025-02-14T14:00:18.165000", "created": "2025-01-15T14:21:02.888000", "tags": [ "unit", "https", "ip address", "figure", "networks", "fin7", "palo alto", "libra", "prolific puma", "gnn approach", "june", "alliance", "malware", "ukraine", "raid", "service", "august", "click", "beyond" ], "references": [ "https://unit42.paloaltonetworks.com/graph-neural-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "domain": 95, "hostname": 14 }, "indicator_count": 110, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jquerylib-min.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jquerylib-min.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780226544.4636297 }