{ "type": "Domain", "indicator": "lastpas.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lastpas.com", "alexa": "http://www.alexa.com/siteinfo/lastpas.com", "indicator": "lastpas.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4287675952, "indicator": "lastpas.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69cea64baa48265a8127fe22", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn\u2019t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems.", "modified": "2026-04-02T17:50:11.180000", "created": "2026-04-02T17:24:27.896000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "pseudotds" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PhantomJack", "display_name": "PhantomJack", "target": null }, { "id": "PseudoTDS", "display_name": "PseudoTDS", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "69cac1807cac156b805d673d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "domain": 13, "hostname": 15, "URL": 3 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 377515, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7411e87ec788e91ca7981", "name": "EbeeApril2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T06:05:07.046000", "created": "2026-04-09T06:03:10.216000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20177921 cve" ], "references": [], "public": 1, "adversary": "APT41, Floki, Cifrat, LucidRook, Lumma Stealer, Winnti ELF Backdoor, Delphi, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 50, "hostname": 77, "URL": 115, "FileHash-MD5": 138, "FileHash-SHA1": 128, "FileHash-SHA256": 164, "CVE": 5, "domain": 106, "email": 6 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d33a7fcccc3e34b2b4df70", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "", "modified": "2026-04-06T04:45:51.607000", "created": "2026-04-06T04:45:51.607000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "pseudotds" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PhantomJack", "display_name": "PhantomJack", "target": null }, { "id": "PseudoTDS", "display_name": "PseudoTDS", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "69cea64baa48265a8127fe22", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "domain": 13, "hostname": 15, "URL": 3 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cac1807cac156b805d673d", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "A guide to Trinity Cyber, a global security platform that stops threats with revolutionary Full Content Inspection (FCI) and AI-Accelerated Threat Defense, as well as the company's partners.", "modified": "2026-03-30T18:31:28.592000", "created": "2026-03-30T18:31:28.592000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "strong", "full content", "inspection", "pseudotds", "learn", "overview", "adtech", "cyber", "launcher", "install", "download", "impact", "back", "aware", "defense", "weaponize" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Weaponize", "display_name": "Weaponize", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cnoscsoc@att.com", "id": "81627", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "URL": 3, "domain": 13, "hostname": 15 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Phantomjack", "Pseudotds" ], "industries": [] }, "other": { "adversary": [ "APT41, Floki, Cifrat, LucidRook, Lumma Stealer, Winnti ELF Backdoor, Delphi, Infiniti Stealer" ], "malware_families": [ "Phantomjack", "Weaponize", "Pseudotds" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69cea64baa48265a8127fe22", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn\u2019t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems.", "modified": "2026-04-02T17:50:11.180000", "created": "2026-04-02T17:24:27.896000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "pseudotds" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PhantomJack", "display_name": "PhantomJack", "target": null }, { "id": "PseudoTDS", "display_name": "PseudoTDS", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "69cac1807cac156b805d673d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "domain": 13, "hostname": 15, "URL": 3 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 377515, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7411e87ec788e91ca7981", "name": "EbeeApril2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T06:05:07.046000", "created": "2026-04-09T06:03:10.216000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20177921 cve" ], "references": [], "public": 1, "adversary": "APT41, Floki, Cifrat, LucidRook, Lumma Stealer, Winnti ELF Backdoor, Delphi, Infiniti Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 50, "hostname": 77, "URL": 115, "FileHash-MD5": 138, "FileHash-SHA1": 128, "FileHash-SHA256": 164, "CVE": 5, "domain": 106, "email": 6 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d33a7fcccc3e34b2b4df70", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "", "modified": "2026-04-06T04:45:51.607000", "created": "2026-04-06T04:45:51.607000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "pseudotds" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PhantomJack", "display_name": "PhantomJack", "target": null }, { "id": "PseudoTDS", "display_name": "PseudoTDS", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": "69cea64baa48265a8127fe22", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "domain": 13, "hostname": 15, "URL": 3 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 265, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cac1807cac156b805d673d", "name": "Blurred Lines: AdTech Abuse Delivers Browser Hijackers Through the Microsoft Store", "description": "A guide to Trinity Cyber, a global security platform that stops threats with revolutionary Full Content Inspection (FCI) and AI-Accelerated Threat Defense, as well as the company's partners.", "modified": "2026-03-30T18:31:28.592000", "created": "2026-03-30T18:31:28.592000", "tags": [ "microsoft store", "phantomjack", "trinity cyber", "strong", "full content", "inspection", "pseudotds", "learn", "overview", "adtech", "cyber", "launcher", "install", "download", "impact", "back", "aware", "defense", "weaponize" ], "references": [ "https://www.trinitycyber.com/blog/blurred-lines-adtech-abuse-delivers-browser-hijackers-through-the-microsoft-store#:~:text=The%20attackers%20prompt%20users%20who,link%20various%20PhantomJack%20samples%20together:" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Weaponize", "display_name": "Weaponize", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cnoscsoc@att.com", "id": "81627", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 46, "URL": 3, "domain": 13, "hostname": 15 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lastpas.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lastpas.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776611811.9538767 }