{ "type": "Domain", "indicator": "longlog.cc", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/longlog.cc", "alexa": "http://www.alexa.com/siteinfo/longlog.cc", "indicator": "longlog.cc", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4040492941, "indicator": "longlog.cc", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "67bd958b5dda19e4363aa95d", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.", "modified": "2025-03-27T10:01:57.659000", "created": "2025-02-25T10:03:55.448000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386776, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c22b3841c96fb90972ced5", "name": "PolarEdge Botnet Targets Unpatched Flaw in Edge Devices", "description": "The PolarEdge botnet is exploiting an unpatched vulnerability to install a TLS-based backdoor on edge devices from different vendors.", "modified": "2025-03-30T21:00:16.856000", "created": "2025-02-28T21:31:36.465000", "tags": [ "cyber threat", "march", "time", "crypto cyber", "defence", "classification", "confidential", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c04334b965faa684b6ac50", "name": "PolarEdge: Unveiling an uncovered ORB network - Sekoia.io Blog", "description": "A security researcher from Sekoia has identified a malicious backdoor and its associated botnet, which has been active since the end of 2023 and is believed to be active for at least a decade.", "modified": "2025-03-29T10:02:50.535000", "created": "2025-02-27T10:49:24.254000", "tags": [ "ip address", "february", "tls backdoor", "virustotal", "synology", "asus", "polaredge", "january", "elf binary", "december", "stark", "polar", "august", "execution", "openssl", "ukraine", "kremlin", "mexico", "chaos", "quad7", "gobrat", "qnap", "flint", "tls" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QNAP", "display_name": "QNAP", "target": null }, { "id": "Synology", "display_name": "Synology", "target": null }, { "id": "FLINT", "display_name": "FLINT", "target": null }, { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "Asus", "display_name": "Asus", "target": null }, { "id": "TLS", "display_name": "TLS", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 6, "domain": 17 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67913675e6e09a54530f3", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:51.378000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67916a6ea32aac5ec989e", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:54.537000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/", "Oct week.3.pdf", "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Polaredge", "Cipher_log" ], "industries": [] }, "other": { "adversary": [ "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor" ], "malware_families": [ "Cipher_log", "Flint", "Tls", "Synology", "Asus", "Polaredge", "Qnap" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "67bd958b5dda19e4363aa95d", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge has infected over 2,000 devices globally, with a significant presence in Asia and South America. The attackers employ complex infrastructure for payload delivery and command and control, utilizing multiple domains and IP addresses. While the botnet's ultimate purpose remains unclear, it's suspected to potentially use compromised devices as Operational Relay Boxes for launching offensive cyber attacks. The sophistication of the operation suggests skilled operators behind this extensive and well-coordinated threat.", "modified": "2025-03-27T10:01:57.659000", "created": "2025-02-25T10:03:55.448000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386776, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c22b3841c96fb90972ced5", "name": "PolarEdge Botnet Targets Unpatched Flaw in Edge Devices", "description": "The PolarEdge botnet is exploiting an unpatched vulnerability to install a TLS-based backdoor on edge devices from different vendors.", "modified": "2025-03-30T21:00:16.856000", "created": "2025-02-28T21:31:36.465000", "tags": [ "cyber threat", "march", "time", "crypto cyber", "defence", "classification", "confidential", "domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c04334b965faa684b6ac50", "name": "PolarEdge: Unveiling an uncovered ORB network - Sekoia.io Blog", "description": "A security researcher from Sekoia has identified a malicious backdoor and its associated botnet, which has been active since the end of 2023 and is believed to be active for at least a decade.", "modified": "2025-03-29T10:02:50.535000", "created": "2025-02-27T10:49:24.254000", "tags": [ "ip address", "february", "tls backdoor", "virustotal", "synology", "asus", "polaredge", "january", "elf binary", "december", "stark", "polar", "august", "execution", "openssl", "ukraine", "kremlin", "mexico", "chaos", "quad7", "gobrat", "qnap", "flint", "tls" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "QNAP", "display_name": "QNAP", "target": null }, { "id": "Synology", "display_name": "Synology", "target": null }, { "id": "FLINT", "display_name": "FLINT", "target": null }, { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "Asus", "display_name": "Asus", "target": null }, { "id": "TLS", "display_name": "TLS", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 6, "domain": 17 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67913675e6e09a54530f3", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:51.378000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c67916a6ea32aac5ec989e", "name": "PolarEdge: Unveiling an uncovered ORB network", "description": "", "modified": "2025-03-27T10:01:57.659000", "created": "2025-03-04T03:52:54.537000", "tags": [ "qnap", "polaredge", "asus", "cve-2023-20118", "tls backdoor", "infrastructure analysis", "synology", "edge devices", "botnet", "vulnerability exploitation", "cipher_log", "cisco" ], "references": [ "https://blog.sekoia.io/polaredge-unveiling-an-uncovered-iot-botnet/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Taiwan" ], "malware_families": [ { "id": "PolarEdge", "display_name": "PolarEdge", "target": null }, { "id": "cipher_log", "display_name": "cipher_log", "target": null } ], "attack_ids": [ { "id": "T1542.001", "name": "System Firmware", "display_name": "T1542.001 - System Firmware" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67bd958b5dda19e4363aa95d", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 4, "domain": 17 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "431 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "longlog.cc", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "longlog.cc", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780358297.3723643 }