{ "type": "Domain", "indicator": "lefthandsuperstructures.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lefthandsuperstructures.com", "alexa": "http://www.alexa.com/siteinfo/lefthandsuperstructures.com", "indicator": "lefthandsuperstructures.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4143404747, "indicator": "lefthandsuperstructures.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "691f6f317ed414598e71b8f6", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "A persistent malware distribution campaign targeting WhatsApp users in Brazil has been observed since September 24, 2025. The attack begins with a message sent using WhatsApp's 'View Once' option, delivering a ZIP archive containing malicious VBS or HTA files. When executed, these files launch PowerShell to retrieve second-stage payloads, including scripts that collect WhatsApp user data and an MSI installer that deploys the Astaroth banking trojan. The campaign has evolved over time, shifting from IMAP-based retrieval to HTTP-based communication with a remote C2 server. The attack leverages Selenium Chrome WebDriver and WPPConnect JavaScript library to hijack WhatsApp Web sessions, harvest contact information and session tokens, and facilitate spam distribution. The campaign has affected over 250 customers, with 95% of impacted devices located in Brazil.", "modified": "2025-11-20T22:00:00.067000", "created": "2025-11-20T19:42:41.056000", "tags": [ "persistence", "guildma", "banking trojan", "brazil", "session hijacking", "astaroth", "whatsapp", "maverick", "credential theft" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Austria", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386887, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff8dd035041c4143f2889b", "name": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C", "description": "The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive anti-analysis measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the Coyote banking trojan, suggesting possible links within the Brazilian cybercriminal ecosystem.", "modified": "2025-10-27T16:28:15.312000", "created": "2025-10-27T15:20:48.929000", "tags": [ "sorvepotel", "banking trojan", "vbs", "coyote", "anti-analysis" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "public": 1, "adversary": "Water Saci", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386886, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69293292bddf22bddfe73819", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "", "modified": "2025-11-28T05:26:42.861000", "created": "2025-11-28T05:26:42.861000", "tags": [ "persistence", "guildma", "banking trojan", "brazil", "session hijacking", "astaroth", "whatsapp", "maverick", "credential theft" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Austria", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "691f6f317ed414598e71b8f6", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69284261ff8de1b3746de2f6", "name": "pppppppp", "description": "", "modified": "2025-11-27T12:21:53.771000", "created": "2025-11-27T12:21:53.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "187 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6922a91d0f995a648dd98e06", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "A recent cyber threat campaign, tracked as STAC3150, has emerged targeting WhatsApp users in Brazil, first detected on September 24, 2025. This persistent, multi-stage malware distribution effort leverages the messaging platform to compromise systems through a deployable malware known as Astaroth. The initial phase of the attack involves sending messages containing archive attachments that house a downloader script. This script is responsible for retrieving multiple secondary payloads, effectively facilitating the introduction of the Astaroth malware into the victim's system.", "modified": "2025-11-23T06:26:37.279000", "created": "2025-11-23T06:26:37.279000", "tags": [ "c2 server", "domain name", "powershell", "opens", "october", "figure", "whatsapp", "vbs file", "september", "msi file", "astaroth", "python", "guildma", "bluesky", "whatsapp stac3150", "stac3150" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Austria" ], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "191 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6920b8615fcfacf8d0b6fb98", "name": "TrendMicro IOC Water Saci.", "description": "Researchers have uncovered a new type of malware, which can detect and prevent malware from being spread through WhatsApp and other messaging services.", "modified": "2025-11-21T19:07:12.536000", "created": "2025-11-21T19:07:12.536000", "tags": [ "c server", "disease vector", "water saci", "campaign", "sophisticated c", "compromise file", "domain disease", "vector https" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/active-water-saci-whatsapp-campaign-update/Active-Water-Saci-Campaign-Update-IoCs.txt" ], "public": 1, "adversary": "Water Saci.", "targeted_countries": [], "malware_families": [ { "id": "Water Saci", "display_name": "Water Saci", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "192 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902e5909be9571f6e7639bb", "name": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C", "description": "", "modified": "2025-10-30T04:12:00.357000", "created": "2025-10-30T04:12:00.357000", "tags": [ "sorvepotel", "banking trojan", "vbs", "coyote", "anti-analysis" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "public": 1, "adversary": "Water Saci", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "68ff8dd035041c4143f2889b", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69005de93358d7d1a0ab9371", "name": "IOC - Active Water Saci Campaign Spreading Via WhatsApp", "description": "", "modified": "2025-10-28T06:08:41.612000", "created": "2025-10-28T06:08:41.612000", "tags": [ "sorvepotel", "banking trojan", "vbs", "coyote", "anti-analysis" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "public": 1, "adversary": "Water Saci", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "68ff8dd035041c4143f2889b", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "217 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ffca36b1c6b38b6135b541", "name": "Water Saci Malware Spreads Through WhatsApp With Advanced Persistence and C2", "description": "An aggressive malware campaign has been identified named Water Saci which\n uses WhatsApp as its primary infection vector. The malware SORVEPOTEL\n which excutes only in Portuguese-language, automatically sends the same\n malicious ZIP to all contacts and groups on a compromised account to spread\n rapidly.", "modified": "2025-10-27T19:38:30.613000", "created": "2025-10-27T19:38:30.613000", "tags": [ "domains", "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "217 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment", "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/", "OCT.pdf", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/active-water-saci-whatsapp-campaign-update/Active-Water-Saci-Campaign-Update-IoCs.txt", "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html", "Book1.csv" ], "related": { "alienvault": { "adversary": [ "Water Saci" ], "malware_families": [ "Sorvepotel", "Coyote" ], "industries": [ "Finance" ] }, "other": { "adversary": [ "Water Saci.", "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "Water Saci", "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face" ], "malware_families": [ "Sorvepotel", "Eternity", "Coyote", "Water saci", "Astaroth" ], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "691f6f317ed414598e71b8f6", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "A persistent malware distribution campaign targeting WhatsApp users in Brazil has been observed since September 24, 2025. The attack begins with a message sent using WhatsApp's 'View Once' option, delivering a ZIP archive containing malicious VBS or HTA files. When executed, these files launch PowerShell to retrieve second-stage payloads, including scripts that collect WhatsApp user data and an MSI installer that deploys the Astaroth banking trojan. The campaign has evolved over time, shifting from IMAP-based retrieval to HTTP-based communication with a remote C2 server. The attack leverages Selenium Chrome WebDriver and WPPConnect JavaScript library to hijack WhatsApp Web sessions, harvest contact information and session tokens, and facilitate spam distribution. The campaign has affected over 250 customers, with 95% of impacted devices located in Brazil.", "modified": "2025-11-20T22:00:00.067000", "created": "2025-11-20T19:42:41.056000", "tags": [ "persistence", "guildma", "banking trojan", "brazil", "session hijacking", "astaroth", "whatsapp", "maverick", "credential theft" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Austria", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386887, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff8dd035041c4143f2889b", "name": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C", "description": "The Water Saci campaign has evolved, now utilizing an email-based command and control infrastructure and multi-vector persistence for resilience. The new attack chain employs script-based techniques, including VBS downloaders and PowerShell scripts, to hijack WhatsApp Web sessions and automate malware distribution. It features sophisticated remote control capabilities, allowing real-time management of infected machines as a coordinated botnet. The malware implements extensive anti-analysis measures and targets Portuguese-language systems. Its email-based C&C system uses IMAP connections to retrieve commands, complemented by an HTTP-based polling mechanism for ongoing communication. The campaign shares similarities with the Coyote banking trojan, suggesting possible links within the Brazilian cybercriminal ecosystem.", "modified": "2025-10-27T16:28:15.312000", "created": "2025-10-27T15:20:48.929000", "tags": [ "sorvepotel", "banking trojan", "vbs", "coyote", "anti-analysis" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "public": 1, "adversary": "Water Saci", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 386886, "modified_text": "217 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6927362a094590b632f8779c", "name": "IncursioHack -WhatsApp Malware Campaign Targeting Brazil (GitHub)", "description": "This repository contains Indicators of Compromise (IoCs) related to the WhatsApp malware campaign targeting Brazil. It includes:\n\nMalicious domains\nFile hashes (SHA-256, SHA-1, MD5)\nURLs\nReferences to technical analyses and news articles\nThe goal is to provide threat intelligence for defensive purposes, such as DNS blocking, proxy filtering, and malware detection.\n\nVisit: https://github.com/IncursioHack/WhatsApp-Malware-Campaign-Targeting-Brazil", "modified": "2026-02-26T18:55:49.942000", "created": "2025-11-26T17:17:28.844000", "tags": [ "banker", "whatsapp" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Eternity", "display_name": "Eternity", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IncursioHack", "id": "371344", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "hostname": 4 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "95 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "153 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69032eeb91df61e525fe5741", "name": "EbeeOct2025 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-29T09:05:33.273000", "created": "2025-10-30T09:24:59.370000", "tags": [], "references": [ "OCT.pdf" ], "public": 1, "adversary": "Vidar Stealer, Storm-2603, ClickFix to deliver NetSupport RAT Loaders, BackdoorDiplomacy, ClayRat (S", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 98, "FileHash-MD5": 166, "FileHash-SHA1": 122, "FileHash-SHA256": 190, "CVE": 9, "domain": 118, "email": 3, "hostname": 73 }, "indicator_count": 779, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69293292bddf22bddfe73819", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "", "modified": "2025-11-28T05:26:42.861000", "created": "2025-11-28T05:26:42.861000", "tags": [ "persistence", "guildma", "banking trojan", "brazil", "session hijacking", "astaroth", "whatsapp", "maverick", "credential theft" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Austria", "Brazil" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "691f6f317ed414598e71b8f6", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "186 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69284261ff8de1b3746de2f6", "name": "pppppppp", "description": "", "modified": "2025-11-27T12:21:53.771000", "created": "2025-11-27T12:21:53.771000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "vijay2752", "id": "368558", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "187 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6922a91d0f995a648dd98e06", "name": "WhatsApp compromise leads to Astaroth deployment", "description": "A recent cyber threat campaign, tracked as STAC3150, has emerged targeting WhatsApp users in Brazil, first detected on September 24, 2025. This persistent, multi-stage malware distribution effort leverages the messaging platform to compromise systems through a deployable malware known as Astaroth. The initial phase of the attack involves sending messages containing archive attachments that house a downloader script. This script is responsible for retrieving multiple secondary payloads, effectively facilitating the introduction of the Astaroth malware into the victim's system.", "modified": "2025-11-23T06:26:37.279000", "created": "2025-11-23T06:26:37.279000", "tags": [ "c2 server", "domain name", "powershell", "opens", "october", "figure", "whatsapp", "vbs file", "september", "msi file", "astaroth", "python", "guildma", "bluesky", "whatsapp stac3150", "stac3150" ], "references": [ "https://news.sophos.com/en-us/2025/11/20/whatsapp-compromise-leads-to-astaroth-deployment/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "United States of America", "Austria" ], "malware_families": [ { "id": "Astaroth", "display_name": "Astaroth", "target": null } ], "attack_ids": [ { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.003", "name": "Spearphishing via Service", "display_name": "T1566.003 - Spearphishing via Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 8 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "191 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6920b8615fcfacf8d0b6fb98", "name": "TrendMicro IOC Water Saci.", "description": "Researchers have uncovered a new type of malware, which can detect and prevent malware from being spread through WhatsApp and other messaging services.", "modified": "2025-11-21T19:07:12.536000", "created": "2025-11-21T19:07:12.536000", "tags": [ "c server", "disease vector", "water saci", "campaign", "sophisticated c", "compromise file", "domain disease", "vector https" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/j/active-water-saci-whatsapp-campaign-update/Active-Water-Saci-Campaign-Update-IoCs.txt" ], "public": 1, "adversary": "Water Saci.", "targeted_countries": [], "malware_families": [ { "id": "Water Saci", "display_name": "Water Saci", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mr.taz92", "id": "370502", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "192 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6902e5909be9571f6e7639bb", "name": "Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C", "description": "", "modified": "2025-10-30T04:12:00.357000", "created": "2025-10-30T04:12:00.357000", "tags": [ "sorvepotel", "banking trojan", "vbs", "coyote", "anti-analysis" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/active-water-saci-campaign-whatsapp-update.html" ], "public": 1, "adversary": "Water Saci", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "SORVEPOTEL", "display_name": "SORVEPOTEL", "target": null }, { "id": "Coyote", "display_name": "Coyote", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "68ff8dd035041c4143f2889b", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "domain": 19 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "215 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lefthandsuperstructures.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lefthandsuperstructures.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780407141.917699 }