{ "type": "Domain", "indicator": "letmespellmoons.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/letmespellmoons.com", "alexa": "http://www.alexa.com/siteinfo/letmespellmoons.com", "indicator": "letmespellmoons.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4026666575, "indicator": "letmespellmoons.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68075360a020c6b0f4bf3a56", "name": "Hackers Exploit Russian Bulletproof Host Proton66 for Global Cyberattacks", "description": "Cybersecurity researchers have uncovered a surge in mass scanning, credential brute-forcing, and exploitation attempts originating from IP addresses associated with the Russian bulletproof hosting service provider Proton66. Since January 8, 2025, these attacks have targeted organizations worldwide, deploying various malware families, including GootLoader and SpyNote. The malicious activity involves exploiting critical vulnerabilities in widely used systems, posing a significant threat to global cybersecurity.", "modified": "2025-05-22T08:02:33.885000", "created": "2025-04-22T08:29:20.493000", "tags": [ "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "proton66", "prospero", "kaspersky", "strelastealer", "russian", "gootloader", "spynote", "superblack", "xworm", "weaxor", "mallox" ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" ], "public": 1, "adversary": "Prospero", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "StrelaStealer", "display_name": "StrelaStealer", "target": null }, { "id": "WeaXor", "display_name": "WeaXor", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "CVE": 5, "domain": 50, "URL": 42, "FileHash-SHA256": 6, "hostname": 2 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c586b5bacba874edce2bcb", "name": "PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks", "description": "The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services named \u2018SecureHost\u2018 and \u2018BEARHOST\u2018. We notably observed that both network\u2019s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.", "modified": "2025-04-29T14:22:22.704000", "created": "2025-03-03T10:38:45.845000", "tags": [], "references": [ "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 13, "URL": 20, "domain": 100, "email": 2, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "397 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67863b3c02d309ebc4f08e34", "name": "SocGholish", "description": "", "modified": "2025-02-13T10:04:02.552000", "created": "2025-01-14T10:23:53.618000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "hostname": 46 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html", "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Prospero" ], "malware_families": [ "Socgholish - s1124", "Xworm", "Strelastealer", "Weaxor" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68075360a020c6b0f4bf3a56", "name": "Hackers Exploit Russian Bulletproof Host Proton66 for Global Cyberattacks", "description": "Cybersecurity researchers have uncovered a surge in mass scanning, credential brute-forcing, and exploitation attempts originating from IP addresses associated with the Russian bulletproof hosting service provider Proton66. Since January 8, 2025, these attacks have targeted organizations worldwide, deploying various malware families, including GootLoader and SpyNote. The malicious activity involves exploiting critical vulnerabilities in widely used systems, posing a significant threat to global cybersecurity.", "modified": "2025-05-22T08:02:33.885000", "created": "2025-04-22T08:29:20.493000", "tags": [ "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "proton66", "prospero", "kaspersky", "strelastealer", "russian", "gootloader", "spynote", "superblack", "xworm", "weaxor", "mallox" ], "references": [ "https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html" ], "public": 1, "adversary": "Prospero", "targeted_countries": [], "malware_families": [ { "id": "XWorm", "display_name": "XWorm", "target": null }, { "id": "StrelaStealer", "display_name": "StrelaStealer", "target": null }, { "id": "WeaXor", "display_name": "WeaXor", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "CVE": 5, "domain": 50, "URL": 42, "FileHash-SHA256": 6, "hostname": 2 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "375 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c586b5bacba874edce2bcb", "name": "PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks", "description": "The Russian autonomous system PROSPERO (AS200593) could be linked with a high level of confidence to Proton66 (AS198953), another Russian AS, that we believe to be connected to the bulletproof services named \u2018SecureHost\u2018 and \u2018BEARHOST\u2018. We notably observed that both network\u2019s configurations are almost identical in terms of peering agreements and their respective share of loads throughout time.", "modified": "2025-04-29T14:22:22.704000", "created": "2025-03-03T10:38:45.845000", "tags": [], "references": [ "https://www.intrinsec.com/prospero-proton66-tracing-uncovering-the-links-between-bulletproof-networks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 13, "URL": 20, "domain": 100, "email": 2, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "397 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67863b3c02d309ebc4f08e34", "name": "SocGholish", "description": "", "modified": "2025-02-13T10:04:02.552000", "created": "2025-01-14T10:23:53.618000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "hostname": 46 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "letmespellmoons.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "letmespellmoons.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780316063.9638803 }