{ "type": "Domain", "indicator": "lumaailabs.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/lumaailabs.com", "alexa": "http://www.alexa.com/siteinfo/lumaailabs.com", "indicator": "lumaailabs.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4067831060, "indicator": "lumaailabs.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6823da0629b3aca6b2dfc792", "name": "Twitter Feed - skocherhan - 13-05-2025", "description": "", "modified": "2025-06-12T23:00:48.619000", "created": "2025-05-13T23:47:18.758000", "tags": [ "phishing", "C2", "NetSupport", "Lumma" ], "references": [ "https://x.com/skocherhan/status/1922088229668344157", "https://x.com/skocherhan/status/1922022323093143736", "https://x.com/skocherhan/status/1922127244522356961", "https://x.com/skocherhan/status/1922133808750436722", "https://x.com/skocherhan/status/1922135739334078652", "https://x.com/skocherhan/status/1922138570040430861", "https://x.com/skocherhan/status/1922146568368435429", "https://x.com/skocherhan/status/1922261189381300353", "https://x.com/skocherhan/status/1922267683753509336", "https://x.com/skocherhan/status/1922269784860766270", "https://x.com/skocherhan/status/1922283405816774836", "https://x.com/skocherhan/status/1922290527807938685", "https://x.com/skocherhan/status/1922296558726332917", "https://x.com/skocherhan/status/1922302556065153378", "https://x.com/skocherhan/status/1922319725679280273", "https://x.com/skocherhan/status/1922372009574432809", "https://x.com/skocherhan/status/1922389683763384648", "https://x.com/skocherhan/status/1922396080882278668", "https://x.com/skocherhan/status/1922402250854437074", "https://x.com/skocherhan/status/1922409801759268902", "https://x.com/skocherhan/status/1922417392451297539" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 73, "URL": 99, "FileHash-MD5": 10, "hostname": 15 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682287b882c39a0228bed6be", "name": "Twitter Feed - skocherhan - 12-05-2025", "description": "", "modified": "2025-06-11T23:04:37.592000", "created": "2025-05-12T23:43:52.352000", "tags": [ "malware", "C2", "phishing" ], "references": [ "https://x.com/skocherhan/status/1921887460906226058", "https://x.com/skocherhan/status/1921905749061480463", "https://x.com/skocherhan/status/1921909441659633748", "https://x.com/skocherhan/status/1921939831577292946", "https://x.com/skocherhan/status/1921943491422155211", "https://x.com/skocherhan/status/1921994200792314329", "https://x.com/skocherhan/status/1922011840432738542", "https://x.com/skocherhan/status/1922022323093143736", "https://x.com/skocherhan/status/1922038460686258319", "https://x.com/skocherhan/status/1922042871504425105" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 6, "domain": 48, "hostname": 6 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682254fb50cbbda5247d935d", "name": "Noodlophile Stealer", "description": "", "modified": "2025-05-27T20:44:21.221000", "created": "2025-05-12T20:07:23.371000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Noodlophile Stealer", "display_name": "Noodlophile Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/skocherhan/status/1922133808750436722", "https://x.com/skocherhan/status/1922283405816774836", "https://x.com/skocherhan/status/1922372009574432809", "https://x.com/skocherhan/status/1921887460906226058", "https://x.com/skocherhan/status/1922267683753509336", "https://x.com/skocherhan/status/1921909441659633748", "https://x.com/skocherhan/status/1922409801759268902", "https://x.com/skocherhan/status/1922396080882278668", "https://x.com/skocherhan/status/1922261189381300353", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/", "https://x.com/skocherhan/status/1921943491422155211", "https://x.com/skocherhan/status/1922088229668344157", "https://x.com/skocherhan/status/1921905749061480463", "https://x.com/skocherhan/status/1922022323093143736", "https://x.com/skocherhan/status/1922269784860766270", "https://x.com/skocherhan/status/1922135739334078652", "https://x.com/skocherhan/status/1922296558726332917", "https://x.com/skocherhan/status/1922011840432738542", "https://x.com/skocherhan/status/1921994200792314329", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites", "https://x.com/skocherhan/status/1922127244522356961", "https://x.com/skocherhan/status/1922290527807938685", "https://x.com/skocherhan/status/1922402250854437074", "https://x.com/skocherhan/status/1922417392451297539", "https://x.com/skocherhan/status/1922319725679280273", "https://x.com/skocherhan/status/1922038460686258319", "https://x.com/skocherhan/status/1921939831577292946", "https://x.com/skocherhan/status/1922042871504425105", "https://x.com/skocherhan/status/1922302556065153378", "https://x.com/skocherhan/status/1922146568368435429", "https://x.com/skocherhan/status/1922389683763384648", "https://x.com/skocherhan/status/1922138570040430861", "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Figure" ], "malware_families": [ "Threat intelligence", "Frostrift", "Starkveil", "Noodlophile stealer", "Grimpull", "Xworm" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6823da0629b3aca6b2dfc792", "name": "Twitter Feed - skocherhan - 13-05-2025", "description": "", "modified": "2025-06-12T23:00:48.619000", "created": "2025-05-13T23:47:18.758000", "tags": [ "phishing", "C2", "NetSupport", "Lumma" ], "references": [ "https://x.com/skocherhan/status/1922088229668344157", "https://x.com/skocherhan/status/1922022323093143736", "https://x.com/skocherhan/status/1922127244522356961", "https://x.com/skocherhan/status/1922133808750436722", "https://x.com/skocherhan/status/1922135739334078652", "https://x.com/skocherhan/status/1922138570040430861", "https://x.com/skocherhan/status/1922146568368435429", "https://x.com/skocherhan/status/1922261189381300353", "https://x.com/skocherhan/status/1922267683753509336", "https://x.com/skocherhan/status/1922269784860766270", "https://x.com/skocherhan/status/1922283405816774836", "https://x.com/skocherhan/status/1922290527807938685", "https://x.com/skocherhan/status/1922296558726332917", "https://x.com/skocherhan/status/1922302556065153378", "https://x.com/skocherhan/status/1922319725679280273", "https://x.com/skocherhan/status/1922372009574432809", "https://x.com/skocherhan/status/1922389683763384648", "https://x.com/skocherhan/status/1922396080882278668", "https://x.com/skocherhan/status/1922402250854437074", "https://x.com/skocherhan/status/1922409801759268902", "https://x.com/skocherhan/status/1922417392451297539" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 73, "URL": 99, "FileHash-MD5": 10, "hostname": 15 }, "indicator_count": 197, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682287b882c39a0228bed6be", "name": "Twitter Feed - skocherhan - 12-05-2025", "description": "", "modified": "2025-06-11T23:04:37.592000", "created": "2025-05-12T23:43:52.352000", "tags": [ "malware", "C2", "phishing" ], "references": [ "https://x.com/skocherhan/status/1921887460906226058", "https://x.com/skocherhan/status/1921905749061480463", "https://x.com/skocherhan/status/1921909441659633748", "https://x.com/skocherhan/status/1921939831577292946", "https://x.com/skocherhan/status/1921943491422155211", "https://x.com/skocherhan/status/1921994200792314329", "https://x.com/skocherhan/status/1922011840432738542", "https://x.com/skocherhan/status/1922022323093143736", "https://x.com/skocherhan/status/1922038460686258319", "https://x.com/skocherhan/status/1922042871504425105" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 6, "domain": 48, "hostname": 6 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6838080f58e2d6ee8f43c9d3", "name": "IOC&TTP - Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites", "description": "Mandiant Threat Defense \u53d1\u73b0 UNC6032 \u5a01\u80c1\u7ec4\u7ec7\u501f\u52a9\u201c\u5927\u6a21\u578b\u201d\u70ed\u5ea6\uff0c\u5927\u91cf\u6295\u653e\u4eff\u5192 Luma AI\u3001Canva Dream Lab\u3001Kling AI \u7b49\u201c\u6587\u672c\u751f\u6210\u89c6\u9891\u201d\u7f51\u7ad9\u7684\u793e\u4ea4\u5a92\u4f53\u5e7f\u544a\u3002\u53d7\u5bb3\u8005\u5728\u5047\u7ad9\u70b9\u4e0a\u70b9\u51fb\u201c\u751f\u6210\u89c6\u9891\u201d\u540e\u4f1a\u76f4\u63a5\u4e0b\u8f7d\u6076\u610f ZIP \u6587\u4ef6\uff0c\u89e3\u538b\u5f97\u5230\u5e26\u6709\u53cc\u540e\u7f00\uff08.mp4\u2800\u2800\u2800\u2800\u2800.exe\uff09\u548c Braille Pattern Blank \u9690\u5199\u5b57\u7b26\u7684\u53ef\u6267\u884c\u6587\u4ef6\u3002\u8be5\u6837\u672c\u4e3a STARKVEIL \u4e0b\u53d1\u5668\uff0c\u540e\u7eed\u91ca\u653e\u5e76\u4fa7\u8f7d GRIMPULL\uff08.NET \u4e0b\u8f7d\u5668\uff09\u3001XWORM\uff08.NET \u540e\u95e8/\u952e\u76d8\u8bb0\u5f55\u5668\uff09\u3001FROSTRIFT\uff08\u4fe1\u606f\u7a83\u53d6\u540e\u95e8\uff09\u7b49\u7ec4\u4ef6\uff0c\u901a\u8fc7 Tor\u3001Telegram \u548c\u81ea\u5efa TCP \u96a7\u9053\u5916\u8054\uff0c\u7a83\u53d6\u5e76\u4e0a\u4f20\u51ed\u636e\u3001Cookies\u3001Facebook \u4fe1\u606f\u53ca\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6570\u636e\u3002\u8be5\u6d3b\u52a8\u81ea 2024 \u5e74\u4e2d\u5f00\u59cb\uff0c\u8fc4\u4eca\u5df2\u6295\u653e\u6570\u5343\u6761\u5e7f\u544a\uff0c\u5f71\u54cd\u8de8\u884c\u4e1a\u3001\u591a\u5730\u533a\u7528\u6237\uff0c\u5a01\u80c1\u6e90\u88ab\u8bc4\u4f30\u4e3a \u8d8a\u5357 Nexus", "modified": "2025-05-29T07:09:03.459000", "created": "2025-05-29T07:09:03.459000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/?hl=en" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA256": 9, "domain": 30, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6836fce0d7f64f82186e780a", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-28T12:09:04.021000", "created": "2025-05-28T12:09:04.021000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites/" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "367 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682254fb50cbbda5247d935d", "name": "Noodlophile Stealer", "description": "", "modified": "2025-05-27T20:44:21.221000", "created": "2025-05-12T20:07:23.371000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Noodlophile Stealer", "display_name": "Noodlophile Stealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 20 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "368 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68361f3322abf0f14a1dc6bb", "name": "Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites | Google Cloud Blog", "description": "A study by Mandiant Threat Defense and Google Cloud Next shows how cybercriminals are weaponizing the interest in artificial intelligence (AI) through fake websites and malicious social media ads, including Facebook and LinkedIn.", "modified": "2025-05-27T20:23:15.312000", "created": "2025-05-27T20:23:15.312000", "tags": [ "protobuf", "hkcusoftware", "urls", "webdrivers", "figure", "threat intelligence", "frostrift", "starkveil", "xworm", "grimpull" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites" ], "public": 1, "adversary": "Figure", "targeted_countries": [], "malware_families": [ { "id": "Threat Intelligence", "display_name": "Threat Intelligence", "target": null }, { "id": "FROSTRIFT", "display_name": "FROSTRIFT", "target": null }, { "id": "STARKVEIL", "display_name": "STARKVEIL", "target": null }, { "id": "XWORM", "display_name": "XWORM", "target": null }, { "id": "GRIMPULL", "display_name": "GRIMPULL", "target": null } ], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9, "URL": 7, "YARA": 2, "domain": 30, "hostname": 2 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "368 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "lumaailabs.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "lumaailabs.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780216087.3422034 }