{ "type": "Domain", "indicator": "linedloop.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/linedloop.org", "alexa": "http://www.alexa.com/siteinfo/linedloop.org", "indicator": "linedloop.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3712964006, "indicator": "linedloop.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "670f879377f69603fe32d425", "name": "A Website Attacked", "description": "This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.", "modified": "2024-11-15T09:03:06.312000", "created": "2024-10-16T09:29:55.871000", "tags": [ "spoofing", "browser updates", "netsupport", "compromised websites", "malware", "watering hole" ], "references": [ "https://www.domaintools.com/resources/blog/a-website-attacked/" ], "public": 1, "adversary": "Socgholish", "targeted_countries": [ "United States of America", "Thailand", "Japan" ], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Aerospace", "Healthcare", "Retail", "Hospitality", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 30, "domain": 33, "hostname": 1 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 377568, "modified_text": "520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d36fadbe23f8ca2de018", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "", "modified": "2024-03-03T01:33:35.090000", "created": "2024-03-03T01:33:35.090000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65d27eac8ad9391c910ee0e9", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "777 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d27eac8ad9391c910ee0e9", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "This is a list of common KeitaroTDS wordpress injects used to load SocGholish and VexTrio malware.", "modified": "2024-02-18T22:03:24.055000", "created": "2024-02-18T22:03:24.055000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "791 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.domaintools.com/resources/blog/a-website-attacked/", "https://twitter.com/500mk500/status/1771235578274607201", "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "related": { "alienvault": { "adversary": [ "Socgholish" ], "malware_families": [ "Netsupport" ], "industries": [ "Hospitality", "Aerospace", "Retail", "Technology", "Healthcare" ] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Keitarotds", "Vextrio", "Socgholish", "Fakeupdates" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "670f879377f69603fe32d425", "name": "A Website Attacked", "description": "This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.", "modified": "2024-11-15T09:03:06.312000", "created": "2024-10-16T09:29:55.871000", "tags": [ "spoofing", "browser updates", "netsupport", "compromised websites", "malware", "watering hole" ], "references": [ "https://www.domaintools.com/resources/blog/a-website-attacked/" ], "public": 1, "adversary": "Socgholish", "targeted_countries": [ "United States of America", "Thailand", "Japan" ], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Aerospace", "Healthcare", "Retail", "Hospitality", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 30, "domain": 33, "hostname": 1 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 377568, "modified_text": "520 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 179, "modified_text": "707 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d36fadbe23f8ca2de018", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "", "modified": "2024-03-03T01:33:35.090000", "created": "2024-03-03T01:33:35.090000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65d27eac8ad9391c910ee0e9", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "777 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d27eac8ad9391c910ee0e9", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "This is a list of common KeitaroTDS wordpress injects used to load SocGholish and VexTrio malware.", "modified": "2024-02-18T22:03:24.055000", "created": "2024-02-18T22:03:24.055000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "791 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510a2dd9c7acab85a26f978", "name": "Phishing sites 2023-09-24", "description": "https://github.com/olbat/ut1-blacklists/blob/master/blacklists/phishing/domains", "modified": "2023-10-24T20:02:37.137000", "created": "2023-09-24T20:58:05.025000", "tags": [ "phishing" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "France" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "URL": 5, "domain": 37579, "hostname": 3238 }, "indicator_count": 40832, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "908 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "linedloop.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "linedloop.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776639449.9213932 }