{ "type": "Domain", "indicator": "kprocurement.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/kprocurement.com", "alexa": "http://www.alexa.com/siteinfo/kprocurement.com", "indicator": "kprocurement.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2245378426, "indicator": "kprocurement.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "68af58ce8cb7bcf7195c203f", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing", "description": "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domains matching registered U.S. companies and maintain similar template websites across multiple domains. The campaign primarily targets U.S.-based organizations in industrial manufacturing, hardware, semiconductors, and other sectors, affecting both large enterprises and smaller businesses.", "modified": "2025-09-26T19:04:46.621000", "created": "2025-08-27T19:13:18.668000", "tags": [ "Phishing", "manufacturing", "MixShell", "DNS Tunneling", "ZipLine" ], "references": [ "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domain" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Switzerland", "Singapore" ], "malware_families": [ { "id": "MixShell", "display_name": "MixShell", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Manufacturing", "Aerospace", "Technology", "Energy", "Semiconductor" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386872, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b0d8d4c1f779071120490f", "name": "aaaaaaaaa", "description": "Hundreds of people are involved in a range of business-related research and development projects, as well as a handful of companies, which are currently under review.. and a number of other companies.", "modified": "2025-09-27T22:07:03.425000", "created": "2025-08-28T22:31:48.808000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 15 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aff51a5e8b5dab829a0e48", "name": "IOC - ZipLine Phishing Campaign Targets U.S. Manufacturing", "description": "", "modified": "2025-09-26T19:04:46.621000", "created": "2025-08-28T06:20:10.372000", "tags": [ "Phishing", "manufacturing", "MixShell", "DNS Tunneling", "ZipLine" ], "references": [ "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domain" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Switzerland", "Singapore" ], "malware_families": [ { "id": "MixShell", "display_name": "MixShell", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Manufacturing", "Aerospace", "Technology", "Energy", "Semiconductor" ], "TLP": "white", "cloned_from": "68af58ce8cb7bcf7195c203f", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68af1d050de56fca342b8ac2", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "A sophisticated phishing campaign targeting supply chain-critical manufacturing companies has been uncovered by Check Point Research, a leading security research firm, and is being investigated by the US Department of Defense (DoD).", "modified": "2025-09-26T14:00:21.724000", "created": "2025-08-27T14:58:12.465000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small", "transferloader" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Japan", "Switzerland" ], "malware_families": [ { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "ZipLine", "display_name": "ZipLine", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Industrial", "Manufacturing", "Biotech", "Pharmaceuticals", "Critical Industries", "Electronics", "Aerospace", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KernelSanders", "id": "73862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef879641bcd6589c05362", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T12:00:35.589000", "created": "2025-08-27T12:22:17.536000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b546b108bf4b5f9685e15d", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T12:00:35.589000", "created": "2025-09-01T07:09:37.148000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68aef879641bcd6589c05362", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aeae0b088d28b7ea2748b2", "name": "IOC-ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies", "description": "ZipLine is a highly sophisticated socially engineered phishing operation aimed at U.S. manufacturing and other critical supply-chain enterprises. Attackers initiate contact via publicly available \"Contact Us\" forms, prompting the target to respond. Over several weeks of businesslike dialogue, the attackers gradually gain trust and ultimately deliver a malicious payload from a trusted platform. The payload executes a backdoor named MixShell in memory and communicates with C2 over a DNS TXT tunnel, enabling persistence and anti-detection. The operation also exploits social engineering around AI transformation themes and abuses platform/domain trust mechanisms.", "modified": "2025-09-26T07:03:57.273000", "created": "2025-08-27T07:04:43.386000", "tags": [ "domains" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ae5e1217a26276db31a967", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T01:04:18.490000", "created": "2025-08-27T01:23:30.299000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domain", "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Mixshell" ], "industries": [ "Semiconductor", "Manufacturing", "Technology", "Energy", "Aerospace" ] }, "other": { "adversary": [], "malware_families": [ "", "Mixshell", "Transferloader", "Zipline" ], "industries": [ "Electronics", "Semiconductor", "Manufacturing", "Industrial", "Technology", "Biotech", "Pharmaceuticals", "Energy", "Critical industries", "Aerospace" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "68af58ce8cb7bcf7195c203f", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing", "description": "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domains matching registered U.S. companies and maintain similar template websites across multiple domains. The campaign primarily targets U.S.-based organizations in industrial manufacturing, hardware, semiconductors, and other sectors, affecting both large enterprises and smaller businesses.", "modified": "2025-09-26T19:04:46.621000", "created": "2025-08-27T19:13:18.668000", "tags": [ "Phishing", "manufacturing", "MixShell", "DNS Tunneling", "ZipLine" ], "references": [ "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domain" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Switzerland", "Singapore" ], "malware_families": [ { "id": "MixShell", "display_name": "MixShell", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Manufacturing", "Aerospace", "Technology", "Energy", "Semiconductor" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 386872, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b0d8d4c1f779071120490f", "name": "aaaaaaaaa", "description": "Hundreds of people are involved in a range of business-related research and development projects, as well as a handful of companies, which are currently under review.. and a number of other companies.", "modified": "2025-09-27T22:07:03.425000", "created": "2025-08-28T22:31:48.808000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 15 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aff51a5e8b5dab829a0e48", "name": "IOC - ZipLine Phishing Campaign Targets U.S. Manufacturing", "description": "", "modified": "2025-09-26T19:04:46.621000", "created": "2025-08-28T06:20:10.372000", "tags": [ "Phishing", "manufacturing", "MixShell", "DNS Tunneling", "ZipLine" ], "references": [ "A sophisticated phishing campaign called ZipLine is targeting U.S. manufacturing companies, especially those in supply chain-critical sectors. The attackers initiate contact through company contact forms, leading to weeks-long email conversations before delivering malicious payloads. They use legitimate-looking business interactions and AI-related pretexts to build trust. The campaign employs a custom malware called MixShell, which uses DNS TXT tunneling for command and control. The attackers utilize domain" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Japan", "Switzerland", "Singapore" ], "malware_families": [ { "id": "MixShell", "display_name": "MixShell", "target": null } ], "attack_ids": [ { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Manufacturing", "Aerospace", "Technology", "Energy", "Semiconductor" ], "TLP": "white", "cloned_from": "68af58ce8cb7bcf7195c203f", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68af1d050de56fca342b8ac2", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "A sophisticated phishing campaign targeting supply chain-critical manufacturing companies has been uncovered by Check Point Research, a leading security research firm, and is being investigated by the US Department of Defense (DoD).", "modified": "2025-09-26T14:00:21.724000", "created": "2025-08-27T14:58:12.465000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small", "transferloader" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Singapore", "Japan", "Switzerland" ], "malware_families": [ { "id": "TransferLoader", "display_name": "TransferLoader", "target": null }, { "id": "ZipLine", "display_name": "ZipLine", "target": null } ], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1072", "name": "Software Deployment Tools", "display_name": "T1072 - Software Deployment Tools" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Industrial", "Manufacturing", "Biotech", "Pharmaceuticals", "Critical Industries", "Electronics", "Aerospace", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "KernelSanders", "id": "73862", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef879641bcd6589c05362", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T12:00:35.589000", "created": "2025-08-27T12:22:17.536000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b546b108bf4b5f9685e15d", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T12:00:35.589000", "created": "2025-09-01T07:09:37.148000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68aef879641bcd6589c05362", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aeae0b088d28b7ea2748b2", "name": "IOC-ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies", "description": "ZipLine is a highly sophisticated socially engineered phishing operation aimed at U.S. manufacturing and other critical supply-chain enterprises. Attackers initiate contact via publicly available \"Contact Us\" forms, prompting the target to respond. Over several weeks of businesslike dialogue, the attackers gradually gain trust and ultimately deliver a malicious payload from a trusted platform. The payload executes a backdoor named MixShell in memory and communicates with C2 over a DNS TXT tunnel, enabling persistence and anti-detection. The operation also exploits social engineering around AI transformation themes and abuses platform/domain trust mechanisms.", "modified": "2025-09-26T07:03:57.273000", "created": "2025-08-27T07:04:43.386000", "tags": [ "domains" ], "references": [ "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 15 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ae5e1217a26276db31a967", "name": "ZipLine Phishing Campaign Targets U.S. Manufacturing - Check Point Research", "description": "", "modified": "2025-09-26T01:04:18.490000", "created": "2025-08-27T01:23:30.299000", "tags": [ "string", "mixshell", "zip archive", "zipline", "contact", "zip file", "ip address", "com object", "check point", "dns txt", "powershell", "form", "marker", "small" ], "references": [ "https://research.checkpoint.com/2025/zipline-phishing-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 14, "domain": 16 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "249 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "kprocurement.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "kprocurement.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780402038.4844346 }