{ "type": "Domain", "indicator": "livemicrosft.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/livemicrosft.com", "alexa": "http://www.alexa.com/siteinfo/livemicrosft.com", "indicator": "livemicrosft.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4291974558, "indicator": "livemicrosft.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69e82714e5cf2d1fb9fe1b0a", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-22T01:40:36.560000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f295c1c348d8af6f43cf73", "name": "ibcart", "description": "The full text of the text message sent to the BBC's Deepanshugoel99 website has now been published online, and it is the first time it has done so in the UK.", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:35:29.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 149, "URL": 6, "domain": 6, "hostname": 4 }, "indicator_count": 365, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9a4b23639f997c3cba6a7", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.209000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9a4b2cef3cc730f0df1db", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.674000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf1115225832368c9af150", "name": "URLert Daily Threat Intel \u2014 2026-04-03", "description": "URLert Daily Threat Intel \u2014 2026-04-03\n\nAutomated threat intelligence from URLert (https://urlert.com) \u2014 AI-powered URL and domain analysis.\n\nThreats: 165 | Indicators: 334\nConfirmed: 47 | Likely: 117 | Domain intel: 1\nTop threats: Phishing (148), Malware Hosting (12), Dropper (3), Scanning Host (1), RAT (1)\nDomains: 1cpmspv.top, 1drv.ms, 40gmail.com, 756193.xin, adescargar.net, adobe.com, ankergames.net, as-nfd.top, betioh.com, blogspot.com, bodyshopca.com, bv-dienstleistungen.de, ca-page.cyou, ca-pag...\n\n165 unique threats producing 334 actionable indicators. Generated by URLert automated threat intelligence.", "modified": "2026-05-03T00:28:39.989000", "created": "2026-04-03T01:00:05.191000", "tags": [ "2fa-harvesting", "adult-app-distribution", "adult-content", "adware", "adware-risk", "agoda-impersonation", "ai-sweden-impersonation", "alaska", "alaska-dmv", "android-malware", "anonymous-sales", "apk-distribution", "apk-malware", "automated-scan", "blockchain-casino", "booking-com", "brand-impersonation", "brazil", "bulk-email-distribution", "california", "california-dmv-impersonation", "cloaking", "cloud-hosting", "cloudflare-abuse", "code-obfuscation", "combell-impersonation", "combosquatting", "compromised-government-site", "controlled-substances", "credential-harvesting", "credit-card-harvesting", "credit-card-scam", "credit-card-theft", "crypto-casino", "crypto-payments", "crypto-scam", "cryptocurrency-scam", "daily-threat-intel", "dao-impersonation", "dao-services", "data-harvesting", "deceptive-content", "deceptive-domain", "deceptive-landing-page", "deceptive-landing-pages", "deceptive-sales-tactics", "deceptive-site", "delivery-exception", "delivery-failure-scam", "delivery-scam", "device-access-attempt", "dhl", "digital-infrastructure-marketplace", "discord-impersonation", "discount-scam", "dmv", "document-lure", "document-sharing-scam", "docusign-impersonation", "domain-classification", "domain-squatting", "dpd", "dpd-impersonation", "dropper", "educational-content-piracy", "email-credentials", "evasion-technique", "facebook", "fake-captcha", "fake-checkout", "fake-citation", "fake-delivery-notice", "fake-delivery-notification", "fake-delivery-scam", "fake-document", "fake-document-preview", "fake-giveaway", "fake-income-opportunity", "fake-invoices", "fake-login", "fake-login-page", "fake-login-portal", "fake-online-store", "fake-payment-portal", "fake-profiles", "fake-security-check", "fake-store", "fake-toll", "fake-toll-notice", "fake-toll-scam", "fake-tracking-page", "fake-warning", "fanbox", "fantia-impersonation", "fifa", "file-sharing-impersonation", "financial-information-theft", "financial-institution-impersonation", "financial-scam", "fiverr", "foot-locker-impersonation", "footlocker", "forced-installation", "fraudulent", "fraudulent-operation", "gamers", "gibberish-domain", "gift-voucher-scam", "github-pages", "giveaway-scam", "glp-1-agonists", "gmail-impersonation", "google-docs", "google-impersonation", "google-sheets-impersonation", "government-impersonation", "government-services", "grayware", "high-abuse-domain", "high-risk-domain", "high-risk-downloads", "high-risk-tld", "high-traffic-site", "hospitality-targeting", "ic-markets-impersonation", "illegal-pharmacy", "impersonation", "information-gathering", "information-harvesting", "intelcom", "invite-code-scam", "ipfs-abuse", "israel-post", "law-firm-impersonation", "legitimate-domain-abuse", "legitimate-service-abuse", "login-page", "login-portal", "logistics", "logistics-delivery", "logistics-scam", "logistics-sector", "logistics-supply-chain", "louisiana-omv-impersonation", "malicious-domain", "malicious-link-shortener", "malicious-links", "malicious-redirect", "malicious-redirector", "malicious-redirects", "malvertising", "malware-delivery", "malware-distribution", "malware-hosting", "malware-risk", "maryland-mva", "media-markt-impersonation", "mediamarkt", "microsoft", "microsoft-forms-abuse", "microsoft-impersonation", "mobile-malware", "modified-apk-distribution", "nacex-impersonation", "ncdot", "nebula-x-impersonation", "netlify-abuse", "netlify-hosting", "new-domain", "newly-registered-domain", "nft-platform", "oklahoma-department-of-public-safety", "online-casino", "online-scam", "oxycodone", "package-delivery-scam", "payment-bypass", "payment-harvesting", "payment-information-harvesting", "payment-scam", "paypal-impersonation", "pennsylvania", "personal-data-harvesting", "personal-information-collection", "personal-information-harvesting", "personal-information-theft", "phishing", "phishing-infrastructure", "phishing-kit", "phishing-landing-page", "phishing-lure", "phishing-page", "phishing-site", "phone-number-collection", "piracy", "pirated-software", "privacy-invasion", "prize-scam", "project-proposal-scam", "pw-thor", "rapid-links-net", "recently-registered-domain", "reconnaissance", "redirect", "redirect-chain", "redirector", "refund-scam", "replit-abuse", "retail-impersonation", "retail-scam", "retail-targeting", "roblox", "roblox-impersonation", "rom-hosting", "romania", "roundcube-webmail", "sameday-impersonation", "scam", "scam-domain", "scam-pages", "scam-site", "scanner-evasion", "schylling", "security-bypass", "security-challenge-bypass", "serviceontario", "serviceontario-impersonation", "shein-impersonation", "slide-to-verify", "smishing", "social-media-impersonation", "software-piracy", "spam-distribution", "spam-facilitation", "spyware", "steam", "steam-account-theft", "stolen-credit-cards", "suspicious-domain", "suspicious-domain-extension", "suspicious-downloads", "targeted-attack", "technology-sector", "telegram-impersonation", "telegram-verification-scam", "tesco", "tesco-impersonation", "tiktok", "tiktok-impersonation", "tiktok-shop-impersonation", "tk-shop", "toll-scam", "traffic-citation-scam", "typosquatting", "unaccountable-infrastructure", "unauthorized-access", "unauthorized-content", "unauthorized-prescription-drugs", "university-brescia", "unrealistic-discounts", "unscanned-files", "unverified-software", "unwanted-programs", "unwanted-software", "urgency-scam", "urgency-tactics", "url-obscurity", "url-shortener", "url-shortener-abuse", "urlert", "video-downloader", "vitkac-impersonation", "vulnerability-scanning", "weebly-abuse", "youtube-spam" ], "references": [ "https://urlert.com/domain/1cpmspv.top", "https://urlert.com/domain/1drv.ms", "https://urlert.com/domain/40gmail.com", "https://urlert.com/domain/756193.xin", "https://urlert.com/domain/adescargar.net", "https://urlert.com/domain/adobe.com", "https://urlert.com/domain/ankergames.net", "https://urlert.com/domain/as-nfd.top", "https://urlert.com/domain/betioh.com", "https://urlert.com/domain/blogspot.com", "https://urlert.com/domain/bodyshopca.com", "https://urlert.com/domain/bv-dienstleistungen.de", "https://urlert.com/domain/ca-page.cyou", "https://urlert.com/domain/ca-page.shop", "https://urlert.com/domain/cgod.shop", "https://urlert.com/domain/ckq.cc", "https://urlert.com/domain/com-azije.cc", "https://urlert.com/domain/communityitemarts.co", "https://urlert.com/domain/create-logo-maker.net", "https://urlert.com/domain/cvmr.life" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Financial Services", "Government", "Healthcare", "Hospitality", "Legal Services", "Logistics / Supply Chain", "Media / Entertainment", "Real Estate", "Retail / E-Commerce", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "urlert_intel", "id": "386175", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_386175/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 98, "hostname": 55, "URL": 104 }, "indicator_count": 257, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlert.com/domain/cgod.shop", "https://urlert.com/domain/40gmail.com", "https://urlert.com/domain/betioh.com", "https://urlert.com/domain/ca-page.shop", "https://urlert.com/domain/bv-dienstleistungen.de", "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/", "https://urlert.com/domain/create-logo-maker.net", "https://urlert.com/domain/1drv.ms", "https://urlert.com/domain/1cpmspv.top", "https://urlert.com/domain/adobe.com", "https://urlert.com/domain/756193.xin", "https://urlert.com/domain/ca-page.cyou", "https://urlert.com/domain/communityitemarts.co", "https://urlert.com/domain/adescargar.net", "IOCs.2026.csv", "https://urlert.com/domain/ankergames.net", "https://urlert.com/domain/bodyshopca.com", "https://urlert.com/domain/as-nfd.top", "https://urlert.com/domain/ckq.cc", "https://urlert.com/domain/com-azije.cc", "https://urlert.com/domain/cvmr.life", "https://urlert.com/domain/blogspot.com" ], "related": { "alienvault": { "adversary": [ "Lazarus Group" ], "malware_families": [ "Mach-o man", "Pylangghostrat" ], "industries": [ "Technology", "Finance" ] }, "other": { "adversary": [ "Lazarus Group", "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot" ], "malware_families": [ "Mach-o man", "Pylangghostrat" ], "industries": [ "Education", "Finance", "Healthcare", "Real estate", "Government", "Retail / e-commerce", "Media / entertainment", "Legal services", "Hospitality", "Logistics / supply chain", "Technology", "Financial services" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69e82714e5cf2d1fb9fe1b0a", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "Lazarus Group is conducting an active campaign targeting businesses through ClickFix attacks, distributing a newly identified macOS malware kit called \"Mach-O Man\". The attack begins with fake meeting invitations via Telegram, redirecting victims to fraudulent collaboration platforms impersonating Zoom, Microsoft Teams, or Google Meet. Victims are tricked into executing terminal commands that install the malware. The kit consists of Go-based Mach-O binaries including a stager, profiler, persistence mechanism, and stealer. The malware collects credentials, browser data, and macOS Keychain entries, exfiltrating data through Telegram. Primary targets include fintech, crypto, and high-value environments where macOS is prevalent. The campaign leverages social engineering and native macOS binaries to evade traditional EDR detection, ultimately enabling account takeover, unauthorized infrastructure access, and financial loss.", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-22T01:40:36.560000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 386461, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f295c1c348d8af6f43cf73", "name": "ibcart", "description": "The full text of the text message sent to the BBC's Deepanshugoel99 website has now been published online, and it is the first time it has done so in the UK.", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:35:29.332000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 149, "URL": 6, "domain": 6, "hostname": 4 }, "indicator_count": 365, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ecae6a156da44db667be66", "name": "imvfeoirewIVONVCIDJCJCW", "description": "", "modified": "2026-05-25T12:11:06.214000", "created": "2026-04-25T12:07:06.437000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 508, "FileHash-MD5": 100, "FileHash-SHA1": 100, "FileHash-SHA256": 187, "domain": 17, "hostname": 159 }, "indicator_count": 1071, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9a4b23639f997c3cba6a7", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.209000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e9a4b2cef3cc730f0df1db", "name": "Mach-O Man Malware: What CISOs Need to Know", "description": "", "modified": "2026-05-22T00:19:59.440000", "created": "2026-04-23T04:48:50.674000", "tags": [ "mach-o man", "browser stealing", "pylangghostrat", "social engineering", "macos", "mach-o binaries", "telegram exfiltration", "credential theft", "clickfix", "fintech targeting" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [], "malware_families": [ { "id": "Mach-O Man", "display_name": "Mach-O Man", "target": null }, { "id": "PyLangGhostRAT", "display_name": "PyLangGhostRAT", "target": null } ], "attack_ids": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "display_name": "T1548.003 - Sudo and Sudo Caching" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "69e82714e5cf2d1fb9fe1b0a", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf1115225832368c9af150", "name": "URLert Daily Threat Intel \u2014 2026-04-03", "description": "URLert Daily Threat Intel \u2014 2026-04-03\n\nAutomated threat intelligence from URLert (https://urlert.com) \u2014 AI-powered URL and domain analysis.\n\nThreats: 165 | Indicators: 334\nConfirmed: 47 | Likely: 117 | Domain intel: 1\nTop threats: Phishing (148), Malware Hosting (12), Dropper (3), Scanning Host (1), RAT (1)\nDomains: 1cpmspv.top, 1drv.ms, 40gmail.com, 756193.xin, adescargar.net, adobe.com, ankergames.net, as-nfd.top, betioh.com, blogspot.com, bodyshopca.com, bv-dienstleistungen.de, ca-page.cyou, ca-pag...\n\n165 unique threats producing 334 actionable indicators. Generated by URLert automated threat intelligence.", "modified": "2026-05-03T00:28:39.989000", "created": "2026-04-03T01:00:05.191000", "tags": [ "2fa-harvesting", "adult-app-distribution", "adult-content", "adware", "adware-risk", "agoda-impersonation", "ai-sweden-impersonation", "alaska", "alaska-dmv", "android-malware", "anonymous-sales", "apk-distribution", "apk-malware", "automated-scan", "blockchain-casino", "booking-com", "brand-impersonation", "brazil", "bulk-email-distribution", "california", "california-dmv-impersonation", "cloaking", "cloud-hosting", "cloudflare-abuse", "code-obfuscation", "combell-impersonation", "combosquatting", "compromised-government-site", "controlled-substances", "credential-harvesting", "credit-card-harvesting", "credit-card-scam", "credit-card-theft", "crypto-casino", "crypto-payments", "crypto-scam", "cryptocurrency-scam", "daily-threat-intel", "dao-impersonation", "dao-services", "data-harvesting", "deceptive-content", "deceptive-domain", "deceptive-landing-page", "deceptive-landing-pages", "deceptive-sales-tactics", "deceptive-site", "delivery-exception", "delivery-failure-scam", "delivery-scam", "device-access-attempt", "dhl", "digital-infrastructure-marketplace", "discord-impersonation", "discount-scam", "dmv", "document-lure", "document-sharing-scam", "docusign-impersonation", "domain-classification", "domain-squatting", "dpd", "dpd-impersonation", "dropper", "educational-content-piracy", "email-credentials", "evasion-technique", "facebook", "fake-captcha", "fake-checkout", "fake-citation", "fake-delivery-notice", "fake-delivery-notification", "fake-delivery-scam", "fake-document", "fake-document-preview", "fake-giveaway", "fake-income-opportunity", "fake-invoices", "fake-login", "fake-login-page", "fake-login-portal", "fake-online-store", "fake-payment-portal", "fake-profiles", "fake-security-check", "fake-store", "fake-toll", "fake-toll-notice", "fake-toll-scam", "fake-tracking-page", "fake-warning", "fanbox", "fantia-impersonation", "fifa", "file-sharing-impersonation", "financial-information-theft", "financial-institution-impersonation", "financial-scam", "fiverr", "foot-locker-impersonation", "footlocker", "forced-installation", "fraudulent", "fraudulent-operation", "gamers", "gibberish-domain", "gift-voucher-scam", "github-pages", "giveaway-scam", "glp-1-agonists", "gmail-impersonation", "google-docs", "google-impersonation", "google-sheets-impersonation", "government-impersonation", "government-services", "grayware", "high-abuse-domain", "high-risk-domain", "high-risk-downloads", "high-risk-tld", "high-traffic-site", "hospitality-targeting", "ic-markets-impersonation", "illegal-pharmacy", "impersonation", "information-gathering", "information-harvesting", "intelcom", "invite-code-scam", "ipfs-abuse", "israel-post", "law-firm-impersonation", "legitimate-domain-abuse", "legitimate-service-abuse", "login-page", "login-portal", "logistics", "logistics-delivery", "logistics-scam", "logistics-sector", "logistics-supply-chain", "louisiana-omv-impersonation", "malicious-domain", "malicious-link-shortener", "malicious-links", "malicious-redirect", "malicious-redirector", "malicious-redirects", "malvertising", "malware-delivery", "malware-distribution", "malware-hosting", "malware-risk", "maryland-mva", "media-markt-impersonation", "mediamarkt", "microsoft", "microsoft-forms-abuse", "microsoft-impersonation", "mobile-malware", "modified-apk-distribution", "nacex-impersonation", "ncdot", "nebula-x-impersonation", "netlify-abuse", "netlify-hosting", "new-domain", "newly-registered-domain", "nft-platform", "oklahoma-department-of-public-safety", "online-casino", "online-scam", "oxycodone", "package-delivery-scam", "payment-bypass", "payment-harvesting", "payment-information-harvesting", "payment-scam", "paypal-impersonation", "pennsylvania", "personal-data-harvesting", "personal-information-collection", "personal-information-harvesting", "personal-information-theft", "phishing", "phishing-infrastructure", "phishing-kit", "phishing-landing-page", "phishing-lure", "phishing-page", "phishing-site", "phone-number-collection", "piracy", "pirated-software", "privacy-invasion", "prize-scam", "project-proposal-scam", "pw-thor", "rapid-links-net", "recently-registered-domain", "reconnaissance", "redirect", "redirect-chain", "redirector", "refund-scam", "replit-abuse", "retail-impersonation", "retail-scam", "retail-targeting", "roblox", "roblox-impersonation", "rom-hosting", "romania", "roundcube-webmail", "sameday-impersonation", "scam", "scam-domain", "scam-pages", "scam-site", "scanner-evasion", "schylling", "security-bypass", "security-challenge-bypass", "serviceontario", "serviceontario-impersonation", "shein-impersonation", "slide-to-verify", "smishing", "social-media-impersonation", "software-piracy", "spam-distribution", "spam-facilitation", "spyware", "steam", "steam-account-theft", "stolen-credit-cards", "suspicious-domain", "suspicious-domain-extension", "suspicious-downloads", "targeted-attack", "technology-sector", "telegram-impersonation", "telegram-verification-scam", "tesco", "tesco-impersonation", "tiktok", "tiktok-impersonation", "tiktok-shop-impersonation", "tk-shop", "toll-scam", "traffic-citation-scam", "typosquatting", "unaccountable-infrastructure", "unauthorized-access", "unauthorized-content", "unauthorized-prescription-drugs", "university-brescia", "unrealistic-discounts", "unscanned-files", "unverified-software", "unwanted-programs", "unwanted-software", "urgency-scam", "urgency-tactics", "url-obscurity", "url-shortener", "url-shortener-abuse", "urlert", "video-downloader", "vitkac-impersonation", "vulnerability-scanning", "weebly-abuse", "youtube-spam" ], "references": [ "https://urlert.com/domain/1cpmspv.top", "https://urlert.com/domain/1drv.ms", "https://urlert.com/domain/40gmail.com", "https://urlert.com/domain/756193.xin", "https://urlert.com/domain/adescargar.net", "https://urlert.com/domain/adobe.com", "https://urlert.com/domain/ankergames.net", "https://urlert.com/domain/as-nfd.top", "https://urlert.com/domain/betioh.com", "https://urlert.com/domain/blogspot.com", "https://urlert.com/domain/bodyshopca.com", "https://urlert.com/domain/bv-dienstleistungen.de", "https://urlert.com/domain/ca-page.cyou", "https://urlert.com/domain/ca-page.shop", "https://urlert.com/domain/cgod.shop", "https://urlert.com/domain/ckq.cc", "https://urlert.com/domain/com-azije.cc", "https://urlert.com/domain/communityitemarts.co", "https://urlert.com/domain/create-logo-maker.net", "https://urlert.com/domain/cvmr.life" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Financial Services", "Government", "Healthcare", "Hospitality", "Legal Services", "Logistics / Supply Chain", "Media / Entertainment", "Real Estate", "Retail / E-Commerce", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "urlert_intel", "id": "386175", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_386175/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 98, "hostname": 55, "URL": 104 }, "indicator_count": 257, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "livemicrosft.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "livemicrosft.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780184989.0755973 }