{ "type": "Domain", "indicator": "login-users.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/login-users.com", "alexa": "http://www.alexa.com/siteinfo/login-users.com", "indicator": "login-users.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 9212, "indicator": "login-users.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "55df30f04637f21c54c1a2b2", "name": "London Calling: Two-Factor Authentication Phishing From Iran", "description": "(Citizen Lab) This report describes an elaborate phishing campaign against targets in Iran\u2019s diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and \u201creal time\u201d login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.\n\nThe attacks point to extensive knowledge of the targets\u2019 activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.", "modified": "2017-08-24T10:48:01.312000", "created": "2015-08-27T15:46:56.180000", "tags": [ "2fa", "iran", "gmail", "Two-factor authentication", "phishing", "citizen lab" ], "references": [ "https://citizenlab.org/2015/08/iran_two_factor_phishing/" ], "public": 1, "adversary": null, "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 49, "upvotes_count": 4.0, "downvotes_count": 0.0, "votes_count": 4.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 4, "email": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "3201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386491, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "APT group ups targets us gov.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-02-15 - Carbanak.pdf", "https://citizenlab.org/2015/08/iran_two_factor_phishing/", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "Black Vine.pdf", "Duqu 2.0 Yara rules.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "Duke cloud Linux (1).pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "https://attack.mitre.org/groups/G0130/", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-10-15 - Archivist.pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "Cmstar Downloader.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "Black Energy.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "Blue termite (1).pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "Babar or Bunny.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "blog.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "Anthem hack all roads lead to China.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "Duqu 2.0 Win32K Exploit.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "Copy Kittens.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "Wild Neutron.pdf", "Emdivi.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "China Peace Palace.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "Dukes.pdf", "Agent.BTZ to ComRAT.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "Behind the syria conflict.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "Rocket Kitten.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-17 - The Spring Dragon APT.pdf", "Attacks on France TV5 Monde.pdf", "BBSRAT Roaming Tiger.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "Casper Malware.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "Demonstrating Hustle.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "Duke cloud Linux.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "Goldfish Phishing.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "Dino.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "Apt 28 (2).pdf", "2015-05-14 - The Naikon APT.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "Trojan Skelky.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "APT 28 (1).pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "Indicators of Compormise Hellsing.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "Afghan Government Compromise - Browser Beware.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-03-28 - UACME.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "Babar.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "Bookworm Trojan (1).pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-11-16 - Introducing LogPOS.pdf", "APT 28.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "Attacks against Israeli & Palestinian interests.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf" ], "related": { "alienvault": { "adversary": [ "Rocket Kitten" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Ajax Security Team" ], "malware_families": [ "Detected gholee", "Ishak", "Bkdr_ghole.b.", "Tspy_woolerg.a.", "Flying kitten", "Hoffman", "Ghole", "Rocket kitten" ], "industries": [ "Aerospace", "Government", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "55df30f04637f21c54c1a2b2", "name": "London Calling: Two-Factor Authentication Phishing From Iran", "description": "(Citizen Lab) This report describes an elaborate phishing campaign against targets in Iran\u2019s diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and \u201creal time\u201d login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi.\n\nThe attacks point to extensive knowledge of the targets\u2019 activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.", "modified": "2017-08-24T10:48:01.312000", "created": "2015-08-27T15:46:56.180000", "tags": [ "2fa", "iran", "gmail", "Two-factor authentication", "phishing", "citizen lab" ], "references": [ "https://citizenlab.org/2015/08/iran_two_factor_phishing/" ], "public": 1, "adversary": null, "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 49, "upvotes_count": 4.0, "downvotes_count": 0.0, "votes_count": 4.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7, "hostname": 4, "email": 3 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 386479, "modified_text": "3201 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386491, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386495, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "login-users.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "login-users.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185145.7859461 }