{ "type": "Domain", "indicator": "linetowaystrue.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/linetowaystrue.com", "alexa": "http://www.alexa.com/siteinfo/linetowaystrue.com", "indicator": "linetowaystrue.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4154467171, "indicator": "linetowaystrue.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6926c81b646b18ae922d7f8d", "name": "The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk", "description": "Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.", "modified": "2025-11-26T09:56:14.094000", "created": "2025-11-26T09:27:55.622000", "tags": [ "cve-2025-27915", "macos", "balada injector", "push notifications", "calendar subscriptions", "ios", "expired domains", "social engineering", "cybersecurity" ], "references": [ "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology", "Finance", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1, "URL": 6, "domain": 12, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6929fcd0b477b526096ae8c0", "name": "Large Scale Calendar Subscription Abuse Driving iCalendar and Push Notification Exploitation", "description": "", "modified": "2025-11-28T19:49:36.692000", "created": "2025-11-28T19:49:36.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "183 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Education", "Technology", "Government", "Finance" ] }, "other": { "adversary": [ "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6926c81b646b18ae922d7f8d", "name": "The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk", "description": "Bitsight researchers uncovered a significant security risk associated with calendar subscriptions, potentially affecting 4 million devices. Expired or hijacked domains hosting calendar subscriptions can be exploited for large-scale social engineering attacks. The research revealed two types of sync requests reaching their sinkhole, indicating different networks at play. The infrastructure behind these operations was found to be deliberate and planned, with domains actively registered until 2025. The attack vector leverages users' trust in calendar events, making it more effective than traditional phishing emails. The researchers also discovered links to the Balada injector campaign, involving website compromises and redirection chains. The scale of operations includes over 1,300 domains and various monetization strategies, including selling calendar event ad space.", "modified": "2025-11-26T09:56:14.094000", "created": "2025-11-26T09:27:55.622000", "tags": [ "cve-2025-27915", "macos", "balada injector", "push notifications", "calendar subscriptions", "ios", "expired domains", "social engineering", "cybersecurity" ], "references": [ "https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-million-devices-risk" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [ "Technology", "Finance", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1, "URL": 6, "domain": 12, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "185 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692d7519544b62e86aa47157", "name": "EbeeNov2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-31T10:00:16.038000", "created": "2025-12-01T10:59:37.970000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "cve20243721 cve", "cve20131599 cve", "cve20143206 cve", "cve20179841 cve", "cve20199082 cve", "cve20208958 cve" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "APT24, Autumn Dragon, Operation DreamJob, Water Gamayun, Shai-Hulud Campaign Infecting Macs via Face", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "CVE": 35, "FileHash-MD5": 221, "FileHash-SHA1": 188, "FileHash-SHA256": 232, "domain": 150, "email": 1, "hostname": 40 }, "indicator_count": 921, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "150 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6929fcd0b477b526096ae8c0", "name": "Large Scale Calendar Subscription Abuse Driving iCalendar and Push Notification Exploitation", "description": "", "modified": "2025-11-28T19:49:36.692000", "created": "2025-11-28T19:49:36.692000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "183 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "linetowaystrue.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "linetowaystrue.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210709.5365562 }