{ "type": "Domain", "indicator": "krabsonsecurity.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/krabsonsecurity.com", "alexa": "http://www.alexa.com/siteinfo/krabsonsecurity.com", "indicator": "krabsonsecurity.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3040723560, "indicator": "krabsonsecurity.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652e382249b6450188a20316", "name": "New BLISTER Malware Involved in Network Infiltration", "description": "", "modified": "2023-11-16T07:01:26.974000", "created": "2023-10-17T07:30:42.274000", "tags": [ "blister", "blister loader", "security labs", "labs", "elastic", "new development", "palo alto", "mythic", "vlc dll", "different", "august", "virustotal", "june", "test", "trojan", "persistence", "blister malware", "strong", "security", "startup folder", "execution", "binary proxy", "malware", "cobaltstrike", "bitrat", "urls", "please", "javascript", "group", "push", "team", "red dev", "bitrat malware", "xmm0", "pla unit", "maria bitrat", "nanocore rat", "ave maria", "jackal", "nodestealer", "bomb", "discord", "purecrypter", "quasar rat", "avemariarat", "hido", "powershell", "melissa", "netwire rc", "oilrig", "mask", "bluenoroff", "panda", "back", "xworm", "xavier", "adobot", "orcus rat", "pandora rat", "raccoon", "vlad", "bill", "tinynuke", "remcos", "cobalt strike", "zloader", "agent tesla", "ficker stealer", "avemaria", "download", "stealth mango", "ixeshe", "aluminum", "msupdater", "nettraveler", "keyboy", "sednit", "sofacy", "oceanlotus", "holmium", "scarcruft", "venus", "sykipot", "leviathan", "amoeba", "hoodoo", "dragon", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "icefog", "trident", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "machete", "evilnum", "carbanak", "gcman", "ghostnet", "bitter", "infy", "karakurt", "kinsing", "mercury", "naikon", "nitro", "strongpity", "powerpool", "indra", "sauron", "sidewinder", "redalpha", "mantis", "rocke", "mimic", "silence", "guardian", "teamspy", "teamtnt", "teamxrat", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark", "sha256 trend", "micro detection", "script c", "unique string", "windows", "lnk file", "windows native", "payload", "launchcolorcpl", "amadey", "clipbanker", "launch", "apache" ], "references": [ "September 06th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3180 - New BLISTER Malware Involved in Network Infiltration.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 59, "FileHash-SHA256": 61, "domain": 10, "hostname": 6, "YARA": 3, "URL": 3 }, "indicator_count": 199, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e61f563b134afb853216d", "name": "The Dark Alliance between GuLoader and Remcos", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T07:12:53.726000", "tags": [ "guloader", "cloudeye", "darkeye", "urls", "comparison", "sonykuccio", "google drive", "clearnet", "xor key", "onedrive", "next", "coronavirus", "rats", "contact", "malicious", "formbook" ], "references": [ "September 20th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3272 - The Dark Alliance between GuLoader and Remcos" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GuLoader", "display_name": "GuLoader", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 77, "FileHash-SHA256": 90, "domain": 14, "URL": 43, "hostname": 9, "email": 1, "YARA": 1 }, "indicator_count": 317, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "938 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "stdbool.hcc0B2j.c", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "September 20th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3272 - The Dark Alliance between GuLoader and Remcos", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", ".X11-unix", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "qtsingleapp-Octopi-1d88-3e8", ".org.chromium.Chromium.12ZdF3", "v8-compile-cache-0", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "tmp90lfbdek", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "runtime-root", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "plasma-csd-generator.LTvjbT", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "strlcpydb8x03.c", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "albert_yt_ynb2tftv", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", ".org.chromium.Chromium.T2jdbS", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "v8-compile-cache-1000", "strlcatmMvE1V.c", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "September 06th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3180 - New BLISTER Malware Involved in Network Infiltration.pdf", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "@tmp", "tmp.D4NXyZ3U4J", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "stdbool.ht64kj6qw.c", ".vbox-mrkd-ipc", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", ".ICE-unix", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", ".org.chromium.Chromium.coQnti", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "pytest-of-mrkd", "tst-bz26353KOtJVp", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8", ".org.chromium.Chromium.HMzFxo", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "tmp.ziktUZeKXL", "fish.root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", ".org.chromium.Chromium.8GBhMA", "qtsingleapp-Octopi-1d88-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "20230816_202710-scantemp.b14ff4bc3a", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "memmemY_2MMv.c" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "El Machete, TAG-100, Mirage, Unamed_Grooup", "El Machete", "N/A" ], "malware_families": [ "Trojandownloader:linux/morila!mtb", "Slf:mamacsemacro.a", "Backdoor:win32/r2d2.a", "Bv:telegrambot-a\\ [trj]", "Trojandropper:win32/fakeflexnet.a", "Delphi", "Sf:shellcode-dz\\ [trj]", "Ransom:linux/darkradiation.a!mtb", "Guloader", "Netexecutablemicrosoft" ], "industries": [ "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652e382249b6450188a20316", "name": "New BLISTER Malware Involved in Network Infiltration", "description": "", "modified": "2023-11-16T07:01:26.974000", "created": "2023-10-17T07:30:42.274000", "tags": [ "blister", "blister loader", "security labs", "labs", "elastic", "new development", "palo alto", "mythic", "vlc dll", "different", "august", "virustotal", "june", "test", "trojan", "persistence", "blister malware", "strong", "security", "startup folder", "execution", "binary proxy", "malware", "cobaltstrike", "bitrat", "urls", "please", "javascript", "group", "push", "team", "red dev", "bitrat malware", "xmm0", "pla unit", "maria bitrat", "nanocore rat", "ave maria", "jackal", "nodestealer", "bomb", "discord", "purecrypter", "quasar rat", "avemariarat", "hido", "powershell", "melissa", "netwire rc", "oilrig", "mask", "bluenoroff", "panda", "back", "xworm", "xavier", "adobot", "orcus rat", "pandora rat", "raccoon", "vlad", "bill", "tinynuke", "remcos", "cobalt strike", "zloader", "agent tesla", "ficker stealer", "avemaria", "download", "stealth mango", "ixeshe", "aluminum", "msupdater", "nettraveler", "keyboy", "sednit", "sofacy", "oceanlotus", "holmium", "scarcruft", "venus", "sykipot", "leviathan", "amoeba", "hoodoo", "dragon", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "icefog", "trident", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "machete", "evilnum", "carbanak", "gcman", "ghostnet", "bitter", "infy", "karakurt", "kinsing", "mercury", "naikon", "nitro", "strongpity", "powerpool", "indra", "sauron", "sidewinder", "redalpha", "mantis", "rocke", "mimic", "silence", "guardian", "teamspy", "teamtnt", "teamxrat", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark", "sha256 trend", "micro detection", "script c", "unique string", "windows", "lnk file", "windows native", "payload", "launchcolorcpl", "amadey", "clipbanker", "launch", "apache" ], "references": [ "September 06th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3180 - New BLISTER Malware Involved in Network Infiltration.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 57, "FileHash-SHA1": 59, "FileHash-SHA256": 61, "domain": 10, "hostname": 6, "YARA": 3, "URL": 3 }, "indicator_count": 199, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "926 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e61f563b134afb853216d", "name": "The Dark Alliance between GuLoader and Remcos", "description": "", "modified": "2023-11-04T07:02:32.756000", "created": "2023-10-05T07:12:53.726000", "tags": [ "guloader", "cloudeye", "darkeye", "urls", "comparison", "sonykuccio", "google drive", "clearnet", "xor key", "onedrive", "next", "coronavirus", "rats", "contact", "malicious", "formbook" ], "references": [ "September 20th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3272 - The Dark Alliance between GuLoader and Remcos" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GuLoader", "display_name": "GuLoader", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 82, "FileHash-SHA1": 77, "FileHash-SHA256": 90, "domain": 14, "URL": 43, "hostname": 9, "email": 1, "YARA": 1 }, "indicator_count": 317, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "938 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "krabsonsecurity.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "krabsonsecurity.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200328.241086 }