{ "type": "Domain", "indicator": "jsonkeeper.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jsonkeeper.com", "alexa": "http://www.alexa.com/siteinfo/jsonkeeper.com", "indicator": "jsonkeeper.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4149112561, "indicator": "jsonkeeper.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c08867316c564ade394c69", "name": "PhishDestroy \u2014 Content Active Threats (Live)", "description": "Live feed of phishing and crypto scam domains with ACTIVE malicious content from PhishDestroy. These domains are verified to have live phishing/scam pages. Updated hourly. Source: github.com/phishdestroy/destroylist/dns/content_active.json", "modified": "2026-05-21T12:06:19.702000", "created": "2026-03-23T00:25:09.116000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy", "active", "content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132502, "hostname": 66217 }, "indicator_count": 198719, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a052f410d91d8ca688c2e7d", "name": "IOC - Malware Found in Trending Hugging Face Repository \"Open-OSS/privacy-filter\"", "description": "On the 7th of May 2026, we identified malicious code in the Hugging Face repository Open-OSS/privacy-filter, which at the time appeared among the platform's top trending repositories with over 200k downloads until its removal by the Hugging Face team. The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.", "modified": "2026-05-14T02:11:13.529000", "created": "2026-05-14T02:11:13.529000", "tags": [ "hugging face", "infostealer", "winos", "c2 ips", "powershell", "file hashes", "sha256", "payload" ], "references": [ "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter#iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "IPv4": 1, "URL": 1, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a042f36be0e0f4f3d3fcb1c", "name": "Malware Found in Trending Hugging Face Repository Open-OSS/privacy-filter", "description": "On May 7, 2026, malicious code was discovered in the Hugging Face repository Open-OSS/privacy-filter, which had gained significant traction, amassing over 200,000 downloads within a single day prior to its removal. This repository utilized typosquatting techniques on OpenAI's genuine Privacy Filter, closely replicating its model card while incorporating a harmful http://loader.py file intended to deliver infostealer malware to Windows machines.", "modified": "2026-05-13T07:58:46.109000", "created": "2026-05-13T07:58:46.109000", "tags": [ "hugging face", "huggingface", "openai", "windows", "temp", "privacy filter", "jsonkeeper", "json paste", "localappdata", "appdata", "april", "winos", "discord", "panther", "infostealer", "powershell", "payload", "json" ], "references": [ "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "IPv4": 1, "URL": 4, "domain": 15, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cb0ce73bef5c452bfb0", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:04.332000", "created": "2026-05-04T06:29:04.332000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83caf1bef3609f0eb79e2", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:03.120000", "created": "2026-05-04T06:29:03.120000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cac7d6c947de6c080f9", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:00.417000", "created": "2026-05-04T06:29:00.417000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab9769e92b3285a2b4", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.770000", "created": "2026-05-04T06:28:59.770000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab7e03b19c5f1078e3", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.113000", "created": "2026-05-04T06:28:59.113000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83ca9411c8ab5d294a7e2", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:57.479000", "created": "2026-05-04T06:28:57.479000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83ca77d6c947de6c080f8", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:55.093000", "created": "2026-05-04T06:28:55.093000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4a9fba8304415c6f4dbb", "name": "Triple Fork: OtterCookie Variant Delivered via Bitbucket Developer Lure | ThreatProphet", "description": "An OtterCookie-family three-child loader was deployed in a Contagious Interview campaign that targeted developers, cryptocurrency wallets, and 2FA seeds, according to an analysis by security researchers.", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:01.354000", "tags": [ "ottercookie", "contagious-interview", "beavertail", "linkedin-lure", "famous-chollima", "javascript", "bitbucket", "node-js", "crypto-stealer", "npoint", "cloudzy", "windows", "stage", "c2 ip", "ntt security", "web data", "authy", "cisco talos", "ttp similarity", "tron", "harmony", "loader", "kiwi", "harvester", "desktop", "lazarus", "contagious interview" ], "references": [ "https://threatprophet.com/posts/2026-03-26-triple-fork/" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Gaming" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ThreatProphet", "id": "384731", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_384731/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 11, "domain": 2, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4aad6a926c102bf0c5265", "name": "Twitter Feed - skocherhan - 06-04-2026", "description": "", "modified": "2026-04-07T06:57:26.463000", "created": "2026-04-07T06:57:26.463000", "tags": [], "references": [ "https://x.com/skocherhan/status/2041053950502228336", "https://x.com/skocherhan/status/2041054024993050762", "https://x.com/skocherhan/status/2041064085735784602", "https://x.com/skocherhan/status/2041094116868559071", "https://x.com/skocherhan/status/2041154992048857230", "https://x.com/skocherhan/status/2041158235495833828", "https://x.com/skocherhan/status/2041165511308796064", "https://x.com/skocherhan/status/2041232651529437681", "https://x.com/skocherhan/status/2041248624974147978" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "URL": 7, "hostname": 2, "FileHash-SHA256": 1, "FileHash-MD5": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697ba5041e2f15988d56acf1", "name": "A LinkedIn Job Offer Tried to Install Malware on My Machine", "description": "A recent incident involving a fraudulent job offer on LinkedIn showcased a targeted supply-chain attack utilizing a trojanized Node.js application. The attacker created a convincing profile on LinkedIn, portraying themselves as a Branch Manager with numerous connections but no activity, raising initial red flags. This approach was part of a larger scheme to infect potential victims' machines with malware.\n\nThe key component of this attack was a postinstall script embedded in the Node.js application. When victims executed the npm install command, the script triggered automatic execution of the malware alongside the legitimate application dependencies. This malware exploited npm's lifecycle hooks to initiate a multi-stage credential-theft operation and establish command-and-control (C2) communications. A legitimate service was misused to host the malicious payload, allowing the attacker to evade basic security measures by making the malicious traffic appear normal.", "modified": "2026-02-28T18:05:24.088000", "created": "2026-01-29T18:20:52.473000", "tags": [ "npm security", "developer security", "linkedin scam", "supply chain attack", "developer malware", "npm postinstall attack", "node.js malware", "credential theft", "code review security", "january", "capable", "configured", "rajinder mudhar", "fine property", "notion document", "jack murray", "sendgrid", "c2 server", "cloudzy", "malware", "powershell", "project", "sandbox" ], "references": [ "https://codecrank.ai/blog/linkedin-malware-warning/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1546.008", "name": "Accessibility Features", "display_name": "T1546.008 - Accessibility Features" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 4, "domain": 1, "hostname": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6955dee69e2dce75159d95eb", "name": "Twitter Feed - CarlyGriggs13 - 31-12-2025", "description": "", "modified": "2026-01-01T02:41:42.332000", "created": "2026-01-01T02:41:42.332000", "tags": [ "scam" ], "references": [ "https://x.com/CarlyGriggs13/status/2006327074836164644", "https://x.com/CarlyGriggs13/status/2006327225256386738", "https://x.com/CarlyGriggs13/status/2006327378923143366", "https://x.com/CarlyGriggs13/status/2006327523840594128", "https://x.com/CarlyGriggs13/status/2006327675603066887", "https://x.com/CarlyGriggs13/status/2006327847934361728", "https://x.com/CarlyGriggs13/status/2006327995339010378", "https://x.com/CarlyGriggs13/status/2006328148338905588", "https://x.com/CarlyGriggs13/status/2006328298243260557", "https://x.com/CarlyGriggs13/status/2006328891259113637", "https://x.com/CarlyGriggs13/status/2006330867967574095", "https://x.com/CarlyGriggs13/status/2006331022842253322", "https://x.com/CarlyGriggs13/status/2006331181189706087", "https://x.com/CarlyGriggs13/status/2006331338782343300", "https://x.com/CarlyGriggs13/status/2006331503098384756", "https://x.com/CarlyGriggs13/status/2006331827745874299", "https://x.com/CarlyGriggs13/status/2006331983199400213", "https://x.com/CarlyGriggs13/status/2006332173566230870", "https://x.com/CarlyGriggs13/status/2006332344349991123", "https://x.com/CarlyGriggs13/status/2006332488315269219", "https://x.com/CarlyGriggs13/status/2006332643760382124", "https://x.com/CarlyGriggs13/status/2006332797401899325", "https://x.com/CarlyGriggs13/status/2006332934702399766", "https://x.com/CarlyGriggs13/status/2006333100796850495", "https://x.com/CarlyGriggs13/status/2006333252592963864", "https://x.com/CarlyGriggs13/status/2006333438530666882", "https://x.com/CarlyGriggs13/status/2006333592713179342", "https://x.com/CarlyGriggs13/status/2006333747105522091", "https://x.com/CarlyGriggs13/status/2006333897987236293", "https://x.com/CarlyGriggs13/status/2006334676223640017", "https://x.com/CarlyGriggs13/status/2006336681134395892", "https://x.com/CarlyGriggs13/status/2006336825447899578", "https://x.com/CarlyGriggs13/status/2006336991336739010", "https://x.com/CarlyGriggs13/status/2006337140968636588", "https://x.com/CarlyGriggs13/status/2006337299764879584", "https://x.com/CarlyGriggs13/status/2006337461128183983", "https://x.com/CarlyGriggs13/status/2006337606846681392", "https://x.com/CarlyGriggs13/status/2006337761004179622", "https://x.com/CarlyGriggs13/status/2006337889614127161", "https://x.com/CarlyGriggs13/status/2006338050591502661", "https://x.com/CarlyGriggs13/status/2006338436350025862", "https://x.com/CarlyGriggs13/status/2006338587441430542", "https://x.com/CarlyGriggs13/status/2006338757532987877", "https://x.com/CarlyGriggs13/status/2006338910553813381", "https://x.com/CarlyGriggs13/status/2006339054141677949", "https://x.com/CarlyGriggs13/status/2006339207544086807", "https://x.com/CarlyGriggs13/status/2006339364776001962", "https://x.com/CarlyGriggs13/status/2006339515498348963", "https://x.com/CarlyGriggs13/status/2006339666895909256", "https://x.com/CarlyGriggs13/status/2006339813767794868", "https://x.com/CarlyGriggs13/status/2006344314444726410", "https://x.com/CarlyGriggs13/status/2006344401069678909", "https://x.com/CarlyGriggs13/status/2006344496322359571", "https://x.com/CarlyGriggs13/status/2006344603776303174", "https://x.com/CarlyGriggs13/status/2006344709774639454", "https://x.com/CarlyGriggs13/status/2006344799109181882", "https://x.com/CarlyGriggs13/status/2006344904226865522", "https://x.com/CarlyGriggs13/status/2006344994756743482", "https://x.com/CarlyGriggs13/status/2006345091867349280", "https://x.com/CarlyGriggs13/status/2006345188005040552", "https://x.com/CarlyGriggs13/status/2006345278950171079", "https://x.com/CarlyGriggs13/status/2006345365067587772", "https://x.com/CarlyGriggs13/status/2006345740818567624", "https://x.com/CarlyGriggs13/status/2006349568989085701", "https://x.com/CarlyGriggs13/status/2006349666498298154", "https://x.com/CarlyGriggs13/status/2006349756063445274", "https://x.com/CarlyGriggs13/status/2006349848912818570", "https://x.com/CarlyGriggs13/status/2006349941866946825", "https://x.com/CarlyGriggs13/status/2006350110960324799", "https://x.com/CarlyGriggs13/status/2006350201561510231", "https://x.com/CarlyGriggs13/status/2006350449973264621", "https://x.com/CarlyGriggs13/status/2006350564335161352", "https://x.com/CarlyGriggs13/status/2006350659990552872", "https://x.com/CarlyGriggs13/status/2006350748117074391", "https://x.com/CarlyGriggs13/status/2006350831004917767", "https://x.com/CarlyGriggs13/status/2006350911782920378", "https://x.com/CarlyGriggs13/status/2006355580282347748", "https://x.com/CarlyGriggs13/status/2006355691594994104", "https://x.com/CarlyGriggs13/status/2006355787472617664", "https://x.com/CarlyGriggs13/status/2006355896709079273", "https://x.com/CarlyGriggs13/status/2006355979022299532", "https://x.com/CarlyGriggs13/status/2006356081182941602", "https://x.com/CarlyGriggs13/status/2006356172207698289", "https://x.com/CarlyGriggs13/status/2006356259843584003", "https://x.com/CarlyGriggs13/status/2006356356975284617", "https://x.com/CarlyGriggs13/status/2006356460167684345", "https://x.com/CarlyGriggs13/status/2006356565910298896", "https://x.com/CarlyGriggs13/status/2006356677495546001", "https://x.com/CarlyGriggs13/status/2006360756275810562", "https://x.com/CarlyGriggs13/status/2006360868553216087", "https://x.com/CarlyGriggs13/status/2006360952766423218", "https://x.com/CarlyGriggs13/status/2006361060274831801", "https://x.com/CarlyGriggs13/status/2006361160246079606", "https://x.com/CarlyGriggs13/status/2006361251472138516", "https://x.com/CarlyGriggs13/status/2006361349203607552", "https://x.com/CarlyGriggs13/status/2006361432422834490", "https://x.com/CarlyGriggs13/status/2006361517487444261", "https://x.com/CarlyGriggs13/status/2006361606419357722", "https://x.com/CarlyGriggs13/status/2006361691479490894", "https://x.com/CarlyGriggs13/status/2006361776732971358", "https://x.com/CarlyGriggs13/status/2006361868030410888", "https://x.com/CarlyGriggs13/status/2006361971801641259", "https://x.com/CarlyGriggs13/status/2006364252697923873", "https://x.com/CarlyGriggs13/status/2006367615686680918", "https://x.com/CarlyGriggs13/status/2006367722372997505", "https://x.com/CarlyGriggs13/status/2006367821161443476", "https://x.com/CarlyGriggs13/status/2006367915449463076", "https://x.com/CarlyGriggs13/status/2006368005920583899", "https://x.com/CarlyGriggs13/status/2006368102955761777", "https://x.com/CarlyGriggs13/status/2006368527012233405", "https://x.com/CarlyGriggs13/status/2006368634965287161", "https://x.com/CarlyGriggs13/status/2006368732466315581", "https://x.com/CarlyGriggs13/status/2006368833288696291", "https://x.com/CarlyGriggs13/status/2006372866271621452", "https://x.com/CarlyGriggs13/status/2006372965961601041", "https://x.com/CarlyGriggs13/status/2006373050355196276", "https://x.com/CarlyGriggs13/status/2006373155351191798", "https://x.com/CarlyGriggs13/status/2006373232996409475", "https://x.com/CarlyGriggs13/status/2006373333789507593", "https://x.com/CarlyGriggs13/status/2006373418460123257", "https://x.com/CarlyGriggs13/status/2006373499104071730", "https://x.com/CarlyGriggs13/status/2006374016282701977", "https://x.com/CarlyGriggs13/status/2006374112978227592", "https://x.com/CarlyGriggs13/status/2006374199594717413", "https://x.com/CarlyGriggs13/status/2006374297909022762", "https://x.com/CarlyGriggs13/status/2006374377106096252", "https://x.com/CarlyGriggs13/status/2006374468067705140", "https://x.com/CarlyGriggs13/status/2006379503338270791", "https://x.com/CarlyGriggs13/status/2006380080218644703", "https://x.com/CarlyGriggs13/status/2006380171155411308", "https://x.com/CarlyGriggs13/status/2006380256052261020", "https://x.com/CarlyGriggs13/status/2006380339074085220", "https://x.com/CarlyGriggs13/status/2006380438743634095", "https://x.com/CarlyGriggs13/status/2006380612656230774", "https://x.com/CarlyGriggs13/status/2006380703970402807", "https://x.com/CarlyGriggs13/status/2006380807523536966", "https://x.com/CarlyGriggs13/status/2006380901207273771", "https://x.com/CarlyGriggs13/status/2006381005163426131", "https://x.com/CarlyGriggs13/status/2006381091465331055", "https://x.com/CarlyGriggs13/status/2006386253575688244", "https://x.com/CarlyGriggs13/status/2006386353739841679", "https://x.com/CarlyGriggs13/status/2006386464251388186", "https://x.com/CarlyGriggs13/status/2006386645797687606", "https://x.com/CarlyGriggs13/status/2006386739817177412", "https://x.com/CarlyGriggs13/status/2006386831772856434", "https://x.com/CarlyGriggs13/status/2006386924261654709", "https://x.com/CarlyGriggs13/status/2006387020390883600", "https://x.com/CarlyGriggs13/status/2006387119095525526", "https://x.com/CarlyGriggs13/status/2006387197209899088", "https://x.com/CarlyGriggs13/status/2006387358619537492", "https://x.com/CarlyGriggs13/status/2006387451019800809", "https://x.com/CarlyGriggs13/status/2006387535426322465", "https://x.com/CarlyGriggs13/status/2006391780271325260", "https://x.com/CarlyGriggs13/status/2006391871283806287", "https://x.com/CarlyGriggs13/status/2006391970378264978", "https://x.com/CarlyGriggs13/status/2006392053727404160", "https://x.com/CarlyGriggs13/status/2006392141560652112", "https://x.com/CarlyGriggs13/status/2006392245922959783", "https://x.com/CarlyGriggs13/status/2006392432129155478", "https://x.com/CarlyGriggs13/status/2006397492204564491", "https://x.com/CarlyGriggs13/status/2006397599281029133", "https://x.com/CarlyGriggs13/status/2006397674094834087", "https://x.com/CarlyGriggs13/status/2006397766688207005", "https://x.com/CarlyGriggs13/status/2006399662786273483", "https://x.com/CarlyGriggs13/status/2006400560413471178", "https://x.com/CarlyGriggs13/status/2006400959417552924", "https://x.com/CarlyGriggs13/status/2006401053449654778", "https://x.com/CarlyGriggs13/status/2006401153651618032", "https://x.com/CarlyGriggs13/status/2006401234840719747", "https://x.com/CarlyGriggs13/status/2006401310946365666", "https://x.com/CarlyGriggs13/status/2006401390029967485", "https://x.com/CarlyGriggs13/status/2006401467414876627", "https://x.com/CarlyGriggs13/status/2006401564324377020", "https://x.com/CarlyGriggs13/status/2006401669127344505", "https://x.com/CarlyGriggs13/status/2006401753147674639", "https://x.com/CarlyGriggs13/status/2006401854264013002", "https://x.com/CarlyGriggs13/status/2006401949470527806", "https://x.com/CarlyGriggs13/status/2006402716587675851", "https://x.com/CarlyGriggs13/status/2006405210915155990", "https://x.com/CarlyGriggs13/status/2006405302975905827", "https://x.com/CarlyGriggs13/status/2006405399826575586", "https://x.com/CarlyGriggs13/status/2006405838726935026", "https://x.com/CarlyGriggs13/status/2006405940375863643", "https://x.com/CarlyGriggs13/status/2006406398742048791", "https://x.com/CarlyGriggs13/status/2006410595499638837", "https://x.com/CarlyGriggs13/status/2006410680631455768", "https://x.com/CarlyGriggs13/status/2006410780388790735", "https://x.com/CarlyGriggs13/status/2006410867903004833", "https://x.com/CarlyGriggs13/status/2006417850156613637", "https://x.com/CarlyGriggs13/status/2006419771709944070", "https://x.com/CarlyGriggs13/status/2006438367278542869", "https://x.com/CarlyGriggs13/status/2006438442155302994", "https://x.com/CarlyGriggs13/status/2006438523356983472", "https://x.com/CarlyGriggs13/status/2006438995442688050", "https://x.com/CarlyGriggs13/status/2006439075822309745", "https://x.com/CarlyGriggs13/status/2006439176527556983", "https://x.com/CarlyGriggs13/status/2006439262384959970", "https://x.com/CarlyGriggs13/status/2006439347822932066", "https://x.com/CarlyGriggs13/status/2006439426147365153", "https://x.com/CarlyGriggs13/status/2006439517868490817", "https://x.com/CarlyGriggs13/status/2006439622608593165", "https://x.com/CarlyGriggs13/status/2006439716963623201", "https://x.com/CarlyGriggs13/status/2006439791060279554", "https://x.com/CarlyGriggs13/status/2006439882311479315", "https://x.com/CarlyGriggs13/status/2006439967711723795" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 205, "domain": 121, "FileHash-MD5": 1, "hostname": 83 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/CarlyGriggs13/status/2006438367278542869", "https://x.com/CarlyGriggs13/status/2006438523356983472", "https://codecrank.ai/blog/linkedin-malware-warning/", "https://x.com/CarlyGriggs13/status/2006386253575688244", "https://x.com/CarlyGriggs13/status/2006401390029967485", "https://x.com/CarlyGriggs13/status/2006337606846681392", "https://x.com/CarlyGriggs13/status/2006331181189706087", "https://x.com/CarlyGriggs13/status/2006401467414876627", "https://x.com/CarlyGriggs13/status/2006405399826575586", "https://x.com/CarlyGriggs13/status/2006361349203607552", "https://x.com/CarlyGriggs13/status/2006327523840594128", "https://x.com/CarlyGriggs13/status/2006368005920583899", "https://x.com/skocherhan/status/2041154992048857230", "https://x.com/CarlyGriggs13/status/2006386924261654709", "https://x.com/skocherhan/status/2041165511308796064", "https://x.com/CarlyGriggs13/status/2006356677495546001", "https://x.com/CarlyGriggs13/status/2006439882311479315", "https://x.com/CarlyGriggs13/status/2006344799109181882", "https://x.com/CarlyGriggs13/status/2006364252697923873", "https://x.com/CarlyGriggs13/status/2006373050355196276", "https://x.com/CarlyGriggs13/status/2006355979022299532", "https://x.com/CarlyGriggs13/status/2006355787472617664", "https://x.com/CarlyGriggs13/status/2006380171155411308", "https://x.com/CarlyGriggs13/status/2006330867967574095", "https://x.com/CarlyGriggs13/status/2006344496322359571", "Book1.csv", "https://x.com/CarlyGriggs13/status/2006355580282347748", "https://x.com/CarlyGriggs13/status/2006387119095525526", "https://x.com/CarlyGriggs13/status/2006387020390883600", "https://x.com/CarlyGriggs13/status/2006400560413471178", "https://x.com/CarlyGriggs13/status/2006392141560652112", "https://x.com/CarlyGriggs13/status/2006349848912818570", "https://x.com/CarlyGriggs13/status/2006372866271621452", "https://x.com/CarlyGriggs13/status/2006419771709944070", "https://x.com/CarlyGriggs13/status/2006331022842253322", "https://x.com/CarlyGriggs13/status/2006439716963623201", "https://x.com/CarlyGriggs13/status/2006397766688207005", "https://x.com/CarlyGriggs13/status/2006368833288696291", "https://x.com/CarlyGriggs13/status/2006417850156613637", "https://x.com/CarlyGriggs13/status/2006438995442688050", "https://x.com/CarlyGriggs13/status/2006337761004179622", "https://x.com/CarlyGriggs13/status/2006350748117074391", "https://x.com/CarlyGriggs13/status/2006410867903004833", "https://x.com/CarlyGriggs13/status/2006367722372997505", "https://x.com/CarlyGriggs13/status/2006380807523536966", "https://x.com/CarlyGriggs13/status/2006350449973264621", "https://x.com/CarlyGriggs13/status/2006439791060279554", "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter", "https://x.com/CarlyGriggs13/status/2006380080218644703", "https://x.com/CarlyGriggs13/status/2006397674094834087", "https://x.com/CarlyGriggs13/status/2006337461128183983", "https://x.com/CarlyGriggs13/status/2006349666498298154", "https://x.com/CarlyGriggs13/status/2006402716587675851", "https://x.com/skocherhan/status/2041248624974147978", "https://x.com/CarlyGriggs13/status/2006387358619537492", "https://x.com/CarlyGriggs13/status/2006367821161443476", "https://x.com/CarlyGriggs13/status/2006345091867349280", "https://x.com/CarlyGriggs13/status/2006327847934361728", "https://x.com/CarlyGriggs13/status/2006380901207273771", "https://x.com/CarlyGriggs13/status/2006405210915155990", "https://x.com/CarlyGriggs13/status/2006373155351191798", "https://x.com/CarlyGriggs13/status/2006387451019800809", "https://x.com/CarlyGriggs13/status/2006380339074085220", "https://x.com/CarlyGriggs13/status/2006361432422834490", "https://x.com/CarlyGriggs13/status/2006368634965287161", "https://x.com/CarlyGriggs13/status/2006387197209899088", "https://x.com/CarlyGriggs13/status/2006438442155302994", "https://x.com/CarlyGriggs13/status/2006327995339010378", "https://x.com/CarlyGriggs13/status/2006439347822932066", "https://x.com/skocherhan/status/2041094116868559071", "https://x.com/CarlyGriggs13/status/2006339515498348963", "https://x.com/CarlyGriggs13/status/2006345365067587772", "https://x.com/CarlyGriggs13/status/2006392053727404160", "https://x.com/CarlyGriggs13/status/2006328148338905588", "https://x.com/CarlyGriggs13/status/2006401669127344505", "https://x.com/CarlyGriggs13/status/2006333252592963864", "https://x.com/CarlyGriggs13/status/2006410780388790735", "https://x.com/CarlyGriggs13/status/2006361971801641259", "https://x.com/CarlyGriggs13/status/2006339054141677949", "https://x.com/CarlyGriggs13/status/2006381091465331055", "https://x.com/CarlyGriggs13/status/2006350659990552872", "https://x.com/CarlyGriggs13/status/2006361606419357722", "https://x.com/CarlyGriggs13/status/2006401310946365666", "https://x.com/CarlyGriggs13/status/2006368527012233405", "https://x.com/CarlyGriggs13/status/2006405940375863643", "https://x.com/CarlyGriggs13/status/2006332173566230870", "https://x.com/CarlyGriggs13/status/2006350911782920378", "https://x.com/CarlyGriggs13/status/2006373418460123257", "https://x.com/CarlyGriggs13/status/2006336825447899578", "https://x.com/CarlyGriggs13/status/2006331983199400213", "https://x.com/CarlyGriggs13/status/2006355896709079273", "https://x.com/CarlyGriggs13/status/2006361517487444261", "https://x.com/CarlyGriggs13/status/2006373333789507593", "https://x.com/CarlyGriggs13/status/2006328891259113637", "https://x.com/CarlyGriggs13/status/2006356460167684345", "https://x.com/CarlyGriggs13/status/2006380703970402807", "https://x.com/CarlyGriggs13/status/2006361060274831801", "https://x.com/CarlyGriggs13/status/2006405302975905827", "https://x.com/CarlyGriggs13/status/2006337299764879584", "https://x.com/CarlyGriggs13/status/2006350564335161352", "https://x.com/CarlyGriggs13/status/2006344904226865522", "https://x.com/CarlyGriggs13/status/2006373232996409475", "https://x.com/CarlyGriggs13/status/2006332934702399766", "https://x.com/CarlyGriggs13/status/2006401854264013002", "https://dprk-research.kmsec.uk/?start=1733011200000", "https://x.com/CarlyGriggs13/status/2006391871283806287", "https://x.com/CarlyGriggs13/status/2006350201561510231", "https://x.com/CarlyGriggs13/status/2006401153651618032", "https://x.com/CarlyGriggs13/status/2006367615686680918", "https://x.com/CarlyGriggs13/status/2006337140968636588", "https://x.com/CarlyGriggs13/status/2006367915449463076", "https://x.com/CarlyGriggs13/status/2006337889614127161", "https://x.com/CarlyGriggs13/status/2006339813767794868", "https://x.com/CarlyGriggs13/status/2006372965961601041", "https://x.com/CarlyGriggs13/status/2006401949470527806", "https://x.com/CarlyGriggs13/status/2006339666895909256", "https://x.com/CarlyGriggs13/status/2006361251472138516", "https://x.com/CarlyGriggs13/status/2006338587441430542", "https://x.com/CarlyGriggs13/status/2006391780271325260", "https://x.com/CarlyGriggs13/status/2006392432129155478", "https://x.com/CarlyGriggs13/status/2006439176527556983", "https://x.com/skocherhan/status/2041232651529437681", "https://x.com/CarlyGriggs13/status/2006327675603066887", "https://x.com/CarlyGriggs13/status/2006386464251388186", "https://x.com/CarlyGriggs13/status/2006332344349991123", "https://x.com/CarlyGriggs13/status/2006331827745874299", "https://x.com/CarlyGriggs13/status/2006333592713179342", "https://x.com/CarlyGriggs13/status/2006328298243260557", "https://x.com/CarlyGriggs13/status/2006374199594717413", "https://x.com/CarlyGriggs13/status/2006374377106096252", "https://x.com/CarlyGriggs13/status/2006350110960324799", "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter#iocs", "https://x.com/CarlyGriggs13/status/2006439967711723795", "https://x.com/CarlyGriggs13/status/2006439426147365153", "https://x.com/CarlyGriggs13/status/2006334676223640017", "https://x.com/CarlyGriggs13/status/2006349941866946825", "https://x.com/CarlyGriggs13/status/2006344314444726410", "https://x.com/CarlyGriggs13/status/2006344994756743482", "https://x.com/CarlyGriggs13/status/2006349568989085701", "https://x.com/CarlyGriggs13/status/2006379503338270791", "https://x.com/CarlyGriggs13/status/2006356081182941602", "https://x.com/CarlyGriggs13/status/2006345278950171079", "https://x.com/CarlyGriggs13/status/2006338757532987877", "https://x.com/CarlyGriggs13/status/2006338436350025862", "https://x.com/skocherhan/status/2041053950502228336", "https://x.com/CarlyGriggs13/status/2006333438530666882", "https://x.com/CarlyGriggs13/status/2006380256052261020", "https://x.com/CarlyGriggs13/status/2006344709774639454", "https://x.com/CarlyGriggs13/status/2006406398742048791", "https://x.com/CarlyGriggs13/status/2006374297909022762", "https://x.com/CarlyGriggs13/status/2006368102955761777", "https://x.com/CarlyGriggs13/status/2006401234840719747", "https://x.com/CarlyGriggs13/status/2006355691594994104", "https://x.com/CarlyGriggs13/status/2006374016282701977", "https://x.com/CarlyGriggs13/status/2006387535426322465", "https://x.com/CarlyGriggs13/status/2006374468067705140", "https://x.com/CarlyGriggs13/status/2006361776732971358", "https://x.com/CarlyGriggs13/status/2006361691479490894", "https://kmsec.uk/blog/dprk-text-steganography/", "https://x.com/CarlyGriggs13/status/2006360868553216087", "https://x.com/CarlyGriggs13/status/2006344603776303174", "https://x.com/CarlyGriggs13/status/2006381005163426131", "https://threatprophet.com/posts/2026-03-26-triple-fork/", "https://x.com/CarlyGriggs13/status/2006361868030410888", "https://x.com/CarlyGriggs13/status/2006333747105522091", "https://x.com/CarlyGriggs13/status/2006361160246079606", "https://x.com/CarlyGriggs13/status/2006439075822309745", "https://x.com/CarlyGriggs13/status/2006392245922959783", "https://x.com/CarlyGriggs13/status/2006380612656230774", "https://x.com/CarlyGriggs13/status/2006380438743634095", "https://x.com/CarlyGriggs13/status/2006439622608593165", "https://x.com/CarlyGriggs13/status/2006327074836164644", "https://x.com/CarlyGriggs13/status/2006410680631455768", "https://x.com/skocherhan/status/2041158235495833828", "https://x.com/CarlyGriggs13/status/2006344401069678909", "https://x.com/CarlyGriggs13/status/2006399662786273483", "https://x.com/CarlyGriggs13/status/2006333100796850495", "https://x.com/CarlyGriggs13/status/2006439517868490817", "https://x.com/CarlyGriggs13/status/2006338910553813381", "https://x.com/CarlyGriggs13/status/2006360756275810562", "https://x.com/CarlyGriggs13/status/2006368732466315581", "https://x.com/CarlyGriggs13/status/2006336991336739010", "https://x.com/CarlyGriggs13/status/2006386739817177412", "https://x.com/CarlyGriggs13/status/2006349756063445274", "https://x.com/CarlyGriggs13/status/2006327225256386738", "https://x.com/CarlyGriggs13/status/2006373499104071730", "https://x.com/CarlyGriggs13/status/2006386353739841679", "https://x.com/CarlyGriggs13/status/2006336681134395892", "https://x.com/CarlyGriggs13/status/2006356356975284617", "https://x.com/CarlyGriggs13/status/2006391970378264978", "https://x.com/CarlyGriggs13/status/2006345188005040552", "https://x.com/CarlyGriggs13/status/2006332797401899325", "https://x.com/CarlyGriggs13/status/2006360952766423218", "https://x.com/CarlyGriggs13/status/2006401564324377020", "https://x.com/CarlyGriggs13/status/2006327378923143366", "https://x.com/CarlyGriggs13/status/2006339207544086807", "https://x.com/CarlyGriggs13/status/2006439262384959970", "https://x.com/CarlyGriggs13/status/2006374112978227592", "https://x.com/skocherhan/status/2041054024993050762", "https://x.com/CarlyGriggs13/status/2006331338782343300", "https://x.com/CarlyGriggs13/status/2006386645797687606", "https://x.com/CarlyGriggs13/status/2006410595499638837", "https://x.com/CarlyGriggs13/status/2006350831004917767", "https://x.com/CarlyGriggs13/status/2006356259843584003", "https://x.com/CarlyGriggs13/status/2006405838726935026", "https://x.com/CarlyGriggs13/status/2006345740818567624", "https://x.com/CarlyGriggs13/status/2006333897987236293", "https://x.com/CarlyGriggs13/status/2006356565910298896", "https://x.com/CarlyGriggs13/status/2006401053449654778", "https://x.com/CarlyGriggs13/status/2006400959417552924", "https://x.com/CarlyGriggs13/status/2006339364776001962", "https://x.com/CarlyGriggs13/status/2006386831772856434", "https://x.com/CarlyGriggs13/status/2006401753147674639", "https://x.com/CarlyGriggs13/status/2006397599281029133", "https://x.com/skocherhan/status/2041064085735784602", "https://x.com/CarlyGriggs13/status/2006331503098384756", "https://x.com/CarlyGriggs13/status/2006338050591502661", "https://x.com/CarlyGriggs13/status/2006332643760382124", "https://x.com/CarlyGriggs13/status/2006397492204564491", "https://x.com/CarlyGriggs13/status/2006332488315269219", "https://x.com/CarlyGriggs13/status/2006356172207698289" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Lazarus", "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5." ], "malware_families": [ "\u2019m", "Contagious interview", "Ottercookie" ], "industries": [ "Gaming", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 100, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c08867316c564ade394c69", "name": "PhishDestroy \u2014 Content Active Threats (Live)", "description": "Live feed of phishing and crypto scam domains with ACTIVE malicious content from PhishDestroy. These domains are verified to have live phishing/scam pages. Updated hourly. Source: github.com/phishdestroy/destroylist/dns/content_active.json", "modified": "2026-05-21T12:06:19.702000", "created": "2026-03-23T00:25:09.116000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy", "active", "content" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132502, "hostname": 66217 }, "indicator_count": 198719, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a052f410d91d8ca688c2e7d", "name": "IOC - Malware Found in Trending Hugging Face Repository \"Open-OSS/privacy-filter\"", "description": "On the 7th of May 2026, we identified malicious code in the Hugging Face repository Open-OSS/privacy-filter, which at the time appeared among the platform's top trending repositories with over 200k downloads until its removal by the Hugging Face team. The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.", "modified": "2026-05-14T02:11:13.529000", "created": "2026-05-14T02:11:13.529000", "tags": [ "hugging face", "infostealer", "winos", "c2 ips", "powershell", "file hashes", "sha256", "payload" ], "references": [ "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter#iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "IPv4": 1, "URL": 1, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a042f36be0e0f4f3d3fcb1c", "name": "Malware Found in Trending Hugging Face Repository Open-OSS/privacy-filter", "description": "On May 7, 2026, malicious code was discovered in the Hugging Face repository Open-OSS/privacy-filter, which had gained significant traction, amassing over 200,000 downloads within a single day prior to its removal. This repository utilized typosquatting techniques on OpenAI's genuine Privacy Filter, closely replicating its model card while incorporating a harmful http://loader.py file intended to deliver infostealer malware to Windows machines.", "modified": "2026-05-13T07:58:46.109000", "created": "2026-05-13T07:58:46.109000", "tags": [ "hugging face", "huggingface", "openai", "windows", "temp", "privacy filter", "jsonkeeper", "json paste", "localappdata", "appdata", "april", "winos", "discord", "panther", "infostealer", "powershell", "payload", "json" ], "references": [ "https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "IPv4": 1, "URL": 4, "domain": 15, "hostname": 1 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-09T05:12:44.308000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 893, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cb0ce73bef5c452bfb0", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:04.332000", "created": "2026-05-04T06:29:04.332000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83caf1bef3609f0eb79e2", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:03.120000", "created": "2026-05-04T06:29:03.120000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cac7d6c947de6c080f9", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:29:00.417000", "created": "2026-05-04T06:29:00.417000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab9769e92b3285a2b4", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.770000", "created": "2026-05-04T06:28:59.770000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f83cab7e03b19c5f1078e3", "name": "Credit: PhishDestroy Clone [\"phish detroy- open domains\"]", "description": "", "modified": "2026-05-04T06:28:59.113000", "created": "2026-05-04T06:28:59.113000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "69c081afa2bd54a9599b7c07", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 88564, "hostname": 54516 }, "indicator_count": 143080, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "28 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jsonkeeper.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jsonkeeper.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780345007.199884 }