{ "type": "Domain", "indicator": "kansaskollection.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/kansaskollection.com", "alexa": "http://www.alexa.com/siteinfo/kansaskollection.com", "indicator": "kansaskollection.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3994000321, "indicator": "kansaskollection.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6712853de72c457312a3336b", "name": "ClickFix tactic: The Phantom Meet", "description": "This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.", "modified": "2024-11-17T15:01:49.122000", "created": "2024-10-18T15:56:45.543000", "tags": [ "clickfix", "web3", "social engineering", "stealc", "amos stealer", "phishing", "cryptocurrency", "google meet", "infostealer", "rhadamanthys" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Slavic Nation Empire", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 13, "domain": 144, "hostname": 7 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 376724, "modified_text": "513 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8acdfe632a32bd164cbc", "name": "Threat Intel Report - W11-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:31:25.772000", "tags": [ "mozi", "germany", "india", "china", "grouped", "vietnam", "united kingdom", "singapore", "week", "group", "indonesia", "clearfake", "asyncrat", "stealc", "smartloader", "mexico", "remcos", "malware", "date", "belarus", "ukraine", "amadey", "lockbit", "linux", "superblack", "akira" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SuperBlack", "display_name": "SuperBlack", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "FileHash-MD5": 51, "FileHash-SHA1": 51, "FileHash-SHA256": 117, "domain": 62, "hostname": 114 }, "indicator_count": 486, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672261a2b43e06073e4a15f0", "name": "ClickFix Campaign Threats to Organizations", "description": "Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.", "modified": "2024-11-29T16:04:28.153000", "created": "2024-10-30T16:41:06.043000", "tags": [], "references": [ "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "xmrig", "display_name": "xmrig", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 28, "domain": 158, "hostname": 8 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3efafe0408a73fde2b6", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:07.116000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3f1b2d95f85c40b2233", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:09.554000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d5365b2f8eed9f8fa754", "name": "Threat Intel Report - W43-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:51:34.212000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6716012a868b8277693de414", "name": "ClickFix tactic: The Phantom Meet - Sekoia.io Blog", "description": "A new social engineering tactic used by cybercrime groups to spread malware has been identified by researchers at Sekoia Research, a leading security firm, in a report published in the journal Security Research.", "modified": "2024-11-20T07:05:26.386000", "created": "2024-10-21T07:22:18.944000", "tags": [ "google meet", "clickfix", "amos stealer", "slavic nation", "empire", "sekoia", "commeet", "sha256", "telegram", "web3", "stealc", "facebook", "rhadamanthys", "powershell", "matanbuchus", "darkgate", "june", "clearfake", "august", "lumma stealer", "macos", "ultimate", "marko polo", "netsupport", "lumma", "amos" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Transport", "Logistics", "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 15, "domain": 145, "hostname": 7 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671359bae7db36de3c9a9d8f", "name": "Ongoing ClickFix Campaign conducted By Fake Google Meet Pages", "description": "", "modified": "2024-11-18T07:02:31.109000", "created": "2024-10-19T07:03:22.654000", "tags": [ "classification", "confidential", "cyber threat", "october", "time", "crypto cyber", "defence", "confidential ip", "urls", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 11, "domain": 145, "hostname": 7 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 483, "modified_text": "512 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Glove-Stealer", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "NOOPDOOR Malware", "https://any.run/malware-trends/", "From Stealers to Ransomware PureCrypter Delivers It All", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "Phobos ransomware", "GamaCopy APT Group Mimicking GamaRedon", "Hundreds of fake Reddit sites push Lumma Stealer malware", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues", "play ransomware", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "SystemBC RAT Poses New Risks to Linux System", "Demodex rootkit", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "Rspack_Compromised_Packages", "bootkitty(logofail)", "BellaCpp", "Salt Typhoon Target U.S. Telecom Networks", "UAC-0185 attacks warned by CERT-UA", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "Weaponized Software Targeting Chinese Organizations", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "Rockstar-Phishing", "Threat Surge as Lumma Stealer Expands Its Reach", "OtterCookie used by Contagious Interview", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "Visual Studio Code Remote tunnels", "Python NodeStealer", "RansomHub Affiliate leverages Python-based backdoor", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Cloud Atlas seen using a new tool in its attacks", "Sock5Systemz-PROXY-AM", "AsyncRAT Reloaded", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials", "PyPI-AIOCPA", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "clickfix-tactic", "Advanced Evasion Techniques Used by NonEuclid RAT", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "solana-backdoor", "MirrorFace Campain", "Bumblebee Malware", "Helldown Ransomware", "Silent Skimmer Gets Loud (Again)", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "Bitter APT", "SteelFox Trojan", "https://urlhaus.abuse.ch/", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "babbleloader", "CloudScout_ Evasive Panda scouting cloud services", "MALLOX RANSOMWARE", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "APT-K-47", "NEW.txt", "Espionage Campaign Targeting South Asian Entities", "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "LegionLoader Malware Expands Global Reach", "MUT-1244-GitHub", "NetSupport RAT and BurnsRAT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "SmokeLoader", "FatalRAT", "PXA Stealer", "DarkGate", "Ransomware-Lockbit3-IOCs.csv", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "Gh0stGambit", "Avast-Anti-Root-KIt", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "MEKOTIO BANKING TROJAN", "Shadowroot Ransomware", "TAG-100", "SpyGlace", "SecTopRAT", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/", "Stealers on the Rise", "BugSleep Malware", "Microsoft Advertisers Phished via Malicious Google Ads", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "ELDORADO RANSOMWARE", "The New Ransomware Menace Vgod Gains Momentum", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "PUMAKIT", "horns-hooves", "BrazenBamboo", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "romcom-exploits-firefox-and-windows", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Remcos RAT", "Qilin Ransomware", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "Christmas-Themed LNK Files Used for Malware Delivery", "Bootkitty", "Winos4.0 RAT", "HotPage.exe (malware)", "MintsLoader_Stealc", "Fake game sites lead to information stealers", "Snake Keylogger", "Fake Discount Sites Exploit Black Friday", "WolfsBane Backdoor", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "HawkEye Malware", "WezRat Malware", "RustyStealer and New Ymir Ransomware", "ACR Stealer", "U.S. Organization in China Targeted by Attackers", "APT36", "The Return of PlugX Malware with Fresh Tricks", "Akira Ransomware", "macOS Users Targeted by the New Variant of Banshee Infostealer", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html" ], "related": { "alienvault": { "adversary": [ "Slavic Nation Empire" ], "malware_families": [ "Amos stealer", "Stealc", "Rhadamanthys" ], "industries": [] }, "other": { "adversary": [ "Marko Polo" ], "malware_families": [ "Linux", "Redline", "Xmrig", "Amadey", "Stealc", "Superblack", "Clickfix", "Netsupport", "Akira", "Trojanspy", "Vant", "Rhadamanthys", "Lumma", "Invisibleferret", "Matanbuchus", "Vidar", "Lockbit", "Darkgate", "Mekotio banking", "Msi", "Amos" ], "industries": [ "Cryptocurrency", "Transport", "Logistics", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6712853de72c457312a3336b", "name": "ClickFix tactic: The Phantom Meet", "description": "This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and macOS systems, spreading infostealers like Stealc, Rhadamanthys, and AMOS Stealer. The operation is linked to cybercrime groups 'Slavic Nation Empire' and 'Scamquerteo', sub-teams of larger cryptocurrency scam organizations. The report details the infection chain, infrastructure, and provides insights into the broader malware distribution ecosystem associated with these threat actors.", "modified": "2024-11-17T15:01:49.122000", "created": "2024-10-18T15:56:45.543000", "tags": [ "clickfix", "web3", "social engineering", "stealc", "amos stealer", "phishing", "cryptocurrency", "google meet", "infostealer", "rhadamanthys" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Slavic Nation Empire", "targeted_countries": [ "Poland" ], "malware_families": [ { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "AMOS Stealer", "display_name": "AMOS Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 13, "domain": 144, "hostname": 7 }, "indicator_count": 172, "is_author": false, "is_subscribing": null, "subscriber_count": 376724, "modified_text": "513 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8acdfe632a32bd164cbc", "name": "Threat Intel Report - W11-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:31:25.772000", "tags": [ "mozi", "germany", "india", "china", "grouped", "vietnam", "united kingdom", "singapore", "week", "group", "indonesia", "clearfake", "asyncrat", "stealc", "smartloader", "mexico", "remcos", "malware", "date", "belarus", "ukraine", "amadey", "lockbit", "linux", "superblack", "akira" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "SuperBlack", "display_name": "SuperBlack", "target": null }, { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "FileHash-MD5": 51, "FileHash-SHA1": 51, "FileHash-SHA256": 117, "domain": 62, "hostname": 114 }, "indicator_count": 486, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "345 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0cdc35112c5919563a334", "name": "Intel is bad awy", "description": "", "modified": "2025-03-29T20:01:20.482000", "created": "2025-02-27T20:40:35.539000", "tags": [ "sign", "github", "find", "view", "search", "strong", "code issues", "pull", "breadcrumbs", "damn", "star", "footer", "sha1", "helldown linux", "iocs helldown", "windows payload", "icon", "darkrace", "donex", "ransom", "defanged file", "hashes", "ipv4", "sha256", "c2 ip", "address", "plugin", "brazanbamboo c2", "panel", "archive file", "bha006", "telegram bot", "token", "chat id", "sha256 hashes", "iocs", "intermediary", "landing", "aitm server", "compromise note", "hashes payload", "loader", "dropper", "ips https", "urls https", "duoyi", "ioc url", "ipv4 address", "c2 server", "sample sha256", "remcos", "decrypted", "urls http", "payload", "amos stealer", "stealc c2", "rhadamanthys c2", "phishing urls", "google meet", "amos steaker", "html payload", "stealc payload", "md5 hashes", "sha1 hashes", "iocs zip", "lnk file", "msi file", "payload url", "eldorado", "linux", "service dll", "cheat engine", "c2 domain", "compromise", "urls", "iocs files", "network ip", "domain", "malware hash", "noopldr type1", "noopldr type2", "download url", "email addresses", "block", "ioc http", "iocs hash", "url https", "ghostgambit", "hidden rootkit", "gh0strat", "mekotio banking", "financial", "latin america", "detected", "zipmsi", "downloader", "ip address", "cobalt strike", "first seen", "seen", "pantegana", "tls certificate", "fingerprint", "samples", "trojanspy", "msi", "subdomains", "reddit", "wetransfer", "ioc hash", "file hashes", "ip addresses", "fake captcha", "html", "hta script", "lumma payload", "filehashsha256", "indicator type", "sha256 lnk", "ports", "first stage", "md5 file", "domains", "reddelta c2", "servers", "octoberdecember", "shortcut", "files", "solo airfield", "quoc", "bctt", "kongtuke", "mintsloader c2", "js download", "c2 http", "boinc c2", "c2 address", "analyzed", "file name", "na stark", "na majestic", "description", "trojanized", "beavertail", "anydesk module", "domain hosting", "first", "details", "monitor", "sites", "fake chrome", "payload host", "c2 https", "examples", "atomic stealer", "c2 servers", "cthulhu stealer", "server http", "l files", "original", "iocs malicious", "mirrowsimps", "defanged", "strike loaders", "plugx", "plugx c2", "sspiuacbypass", "malware", "malware c2", "filehashmd5", "site", "orgvgodpayment", "quite solsjoas", "ioc sha256", "similar sha256", "http", "url hundreds", "url samples", "filehash", "guidloader", "finaldraft elf", "type name", "reference", "finaldraft", "sha256 pfman", "pathloader", "atomic https", "systembc", "ghostsocks", "invisibleferret", "vant", "rspackcore", "monero", "sha256 hash", "code snippets", "psexec", "ituneshelper", "pscp", "sftp", "googleupdate", "meshagent", "ultravnc", "file", "bootkitty iocs", "phpsert", "phpsert variant", "createdump tool", "visual studio", "code", "server", "sql injection", "studio code", "ssh access", "hta file", "vbshower c2", "powershower c2", "cloud", "hta md5", "domain name", "links", "c http", "horns", "version", "version b", "version c", "version d", "version e", "burnsrat c", "a http", "github users", "shell commands", "vssadmin delete", "userprofile", "public", "registry keys", "phobos", "lettointago", "carljohnson1948", "samuelwhite1821", "file hash", "lockbit", "indicatortype", "data", "mlpea", "w32neshtad", "gmer", "neshta", "opswat oesis", "v4 removal" ], "references": [ "Bootkitty", "Glove-Stealer", "Fake Discount Sites Exploit Black Friday", "Helldown Ransomware", "HawkEye Malware", "PXA Stealer", "Iranian Hackers Use GitHub and Phishing to Evade Detection in SnailResin Attack", "BrazenBamboo", "SpyGlace", "RustyStealer and New Ymir Ransomware", "PyPI-AIOCPA", "Python NodeStealer", "romcom-exploits-firefox-and-windows", "Rockstar-Phishing", "Silent Skimmer Gets Loud (Again)", "SteelFox Trojan", "WezRat Malware", "Avast-Anti-Root-KIt", "Winos4.0 RAT", "APT36", "WolfsBane Backdoor", "APT-K-47", "Remcos RAT", "babbleloader", "Bitter APT", "UAC-0194\u2019s Exploitation of CVE-2024-43451 in Ukraine for Phishing", "CloudScout_ Evasive Panda scouting cloud services", "clickfix-tactic", "Akira Ransomware", "Bumblebee Malware", "ELDORADO RANSOMWARE", "Evasive Panda Uses MACMA and MgBot Malware to Target US and Taiwan", "Demodex rootkit", "BugSleep Malware", "HotPage.exe (malware)", "Qilin Ransomware", "NOOPDOOR Malware", "Shadowroot Ransomware", "play ransomware", "MALLOX RANSOMWARE", "New Malware Campaign Abusing RDPWrapper and Tailscale to Target Cryptocurrency Users", "ACR Stealer", "Suspicious Domains Exploiting the Recent CrowdStrike Outage!", "Gh0stGambit", "MEKOTIO BANKING TROJAN", "TAG-100", "Fake game sites lead to information stealers", "Chrome Extensions Hijacked, 2.6 Million Users Impacted", "macOS Users Targeted by the New Variant of Banshee Infostealer", "Hundreds of fake Reddit sites push Lumma Stealer malware", "GamaCopy APT Group Mimicking GamaRedon", "InvisibleFerret Malware Leveraging Python for Targeted Attacks", "Fake CAPTCHA Campaign That Spreads LUMMA Info Stealer", "REF5961 Group Deploys EAGERBEE Backdoor Against Critical Sectors", "Phishing Campaigns Fuel Compiled AutoIt Malware Distribution", "The great Google Ads heist_ criminals ransack advertiser accounts via fake Google ads", "New Star Blizzard spear-phishing campaign targets WhatsApp accounts", "RansomHub Affiliate leverages Python-based backdoor", "Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques", "Advanced Evasion Techniques Used by NonEuclid RAT", "The Return of PlugX Malware with Fresh Tricks", "The Growing Risk of Sneaky 2FA for Microsoft and Gmail Accounts", "Weaponized Software Targeting Chinese Organizations", "Threat Surge as Lumma Stealer Expands Its Reach", "Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain", "MintsLoader_Stealc", "North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks", "North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware", "Rat Race_ ValleyRAT Malware Targets Organizations with New Delivery Techniques", "Salt Typhoon Target U.S. Telecom Networks", "SecTopRAT", "Stealers on the Rise", "Snake Keylogger", "AsyncRAT Reloaded", "The BadPilot campaign_ Seashell Blizzard subgroup conducts multiyear global access operation", "FatalRAT", "SystemBC RAT Poses New Risks to Linux System", "Unveiling Silent Lynx APT Targeting Entities Across Kyrgyzstan & Neighbouring Nations", "FERRET Malware Targets macOS in Sophisticated North Korean Attacks", "Espionage Campaign Targeting South Asian Entities", "Astral Stealer Strikes Again Stealing More Than Just Your Cookies", "The New Ransomware Menace Vgod Gains Momentum", "Microsoft Advertisers Phished via Malicious Google Ads", "LegionLoader Malware Expands Global Reach", "NEW.txt", "From Stealers to Ransomware PureCrypter Delivers It All", "New Phishing Campaign Abuses Webflow, SEO, and Fake CAPTCHAs", "FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux", "LockBit Ransomware Attack Leveraging Cobalt Strike", "Rspack_Compromised_Packages", "SmokeLoader", "Sock5Systemz-PROXY-AM", "solana-backdoor", "U.S. Organization in China Targeted by Attackers", "UAC-0185 attacks warned by CERT-UA", "BellaCpp", "bootkitty(logofail)", "Visual Studio Code Remote tunnels", "Cloud Atlas seen using a new tool in its attacks", "Christmas-Themed LNK Files Used for Malware Delivery", "DarkGate", "MirrorFace Campain", "horns-hooves", "Developers Targeted by New \u2018OtterCookie\u2019 Malware with Fake Job Offers", "NetSupport RAT and BurnsRAT", "Cybercriminals Leverage Fake CAPTCHAs for Malware Delivery", "MUT-1244-GitHub", "Phobos ransomware", "Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data", "PUMAKIT", "OtterCookie used by Contagious Interview", "Ransomware-Lockbit3-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Mekotio Banking", "display_name": "Mekotio Banking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSI", "display_name": "MSI", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null }, { "id": "Vant", "display_name": "Vant", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 84, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Badderawy", "id": "310597", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 950, "FileHash-SHA1": 847, "FileHash-SHA256": 1060, "hostname": 1158, "domain": 867, "URL": 813, "email": 77, "CIDR": 2, "CVE": 9 }, "indicator_count": 5783, "is_author": false, "is_subscribing": null, "subscriber_count": 27, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672261a2b43e06073e4a15f0", "name": "ClickFix Campaign Threats to Organizations", "description": "Deepwatch Threat Intel team assesses that cybercriminals will likely continue using the ClickFix technique to target organizations and individuals. The ClickFix technique is a social engineering tactic employed by cybercriminals to deceive users into downloading malware through fake CAPTCHAs, error messages, and prompts that entice users to inadvertently run malicious PowerShell scripts and commands.", "modified": "2024-11-29T16:04:28.153000", "created": "2024-10-30T16:41:06.043000", "tags": [], "references": [ "https://securelist.com/fake-captcha-delivers-lumma-amadey/114312/", "https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clearfake-trojan-malware.html", "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-fake-google-meet-pages-and-technical-issues", "https://www.godaddy.com/resources/news/threat-actors-push-clickfix-fake-browser-updates-using-stolen-credentials" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "xmrig", "display_name": "xmrig", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.006", "name": "Indicator Blocking", "display_name": "T1562.006 - Indicator Blocking" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 28, "domain": 158, "hostname": 8 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3efafe0408a73fde2b6", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:07.116000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d3f1b2d95f85c40b2233", "name": "Threat Intel Report - W42-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:46:09.554000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6718d5365b2f8eed9f8fa754", "name": "Threat Intel Report - W43-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools.\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week.\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-11-22T10:00:39.242000", "created": "2024-10-23T10:51:34.212000", "tags": [ "mozi", "mozi link", "brazil", "germany", "singapore", "panama", "china", "france", "week", "turkey", "indonesia", "stealc", "asyncrat", "remcos", "coinminer", "ukraine", "amadey" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 46, "FileHash-SHA256": 117, "URL": 202, "domain": 52, "hostname": 75 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6716012a868b8277693de414", "name": "ClickFix tactic: The Phantom Meet - Sekoia.io Blog", "description": "A new social engineering tactic used by cybercrime groups to spread malware has been identified by researchers at Sekoia Research, a leading security firm, in a report published in the journal Security Research.", "modified": "2024-11-20T07:05:26.386000", "created": "2024-10-21T07:22:18.944000", "tags": [ "google meet", "clickfix", "amos stealer", "slavic nation", "empire", "sekoia", "commeet", "sha256", "telegram", "web3", "stealc", "facebook", "rhadamanthys", "powershell", "matanbuchus", "darkgate", "june", "clearfake", "august", "lumma stealer", "macos", "ultimate", "marko polo", "netsupport", "lumma", "amos" ], "references": [ "https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/" ], "public": 1, "adversary": "Marko Polo", "targeted_countries": [], "malware_families": [ { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "ClickFix", "display_name": "ClickFix", "target": null }, { "id": "AMOS", "display_name": "AMOS", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Transport", "Logistics", "Cryptocurrency", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 15, "domain": 145, "hostname": 7 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 844, "modified_text": "510 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671359bae7db36de3c9a9d8f", "name": "Ongoing ClickFix Campaign conducted By Fake Google Meet Pages", "description": "", "modified": "2024-11-18T07:02:31.109000", "created": "2024-10-19T07:03:22.654000", "tags": [ "classification", "confidential", "cyber threat", "october", "time", "crypto cyber", "defence", "confidential ip", "urls", "hashes" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 11, "domain": 145, "hostname": 7 }, "indicator_count": 169, "is_author": false, "is_subscribing": null, "subscriber_count": 483, "modified_text": "512 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "kansaskollection.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "kansaskollection.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776222904.459198 }