{ "type": "Domain", "indicator": "macostutorial.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/macostutorial.com", "alexa": "http://www.alexa.com/siteinfo/macostutorial.com", "indicator": "macostutorial.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4075577896, "indicator": "macostutorial.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aea3a12873f2f36c5aeff9", "name": "aaaaaaaaaaaaaaa", "description": "", "modified": "2025-09-26T06:03:36.196000", "created": "2025-08-27T06:20:17.230000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 4, "domain": 5 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b13ab6c7e7a41bd9000894", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "", "modified": "2025-08-29T05:29:26.526000", "created": "2025-08-29T05:29:26.526000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": "68a79c0be4ebcd6686baeb09", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "276 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b1341216fd69dda3168c0f", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "", "modified": "2025-08-29T05:01:06.961000", "created": "2025-08-29T05:01:06.961000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": "68a79c0be4ebcd6686baeb09", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "276 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a79c0be4ebcd6686baeb09", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "Between June and August 2025, a malware campaign identified as SHAMOS, a variant of Atomic macOS Stealer (AMOS) linked to the cybercriminal group COOKIE SPIDER, attempted to compromise over 300 environments but was successfully blocked by the CrowdStrike Falcon platform. This campaign utilized malvertising to target users searching for macOS-related issues, redirecting them to malicious websites. Victims were primarily located in multiple countries including the U.S., UK, Japan, and Canada, while the campaign avoided targeting individuals in Russia due to local forum regulations against commodity malware operations.", "modified": "2025-08-21T22:22:03.582000", "created": "2025-08-21T22:22:03.582000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "283 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a1371679552059c6f93a2", "name": "URLHaus data - 11-06-2025", "description": "", "modified": "2025-07-11T23:01:11.967000", "created": "2025-06-11T23:38:25.042000", "tags": [ "botnetdomain", "censys", "elf", "mirai", "ua-wget", "sh", "gafgyt", "RemcosRAT", "AveMariaRAT", "xworm", "c2-monitor-auto", "dropped-by-amadey", "rev-base64-loader", "VIPKeylogger", "exe", "ftp", "geofenced", "GorillaBotnet", "GorillaStress", ".exe", "AsyncRAT", "connectwise", "rustystealer", "banker", "latam", "trojan", "bash", "wget", "ps1", "hta", "CobaltStrike", "lnk", "xml-opendir", "backdoor", "sshdkit", "hajime", "miner", "gz", "ua-curl", "macho", "CoinMiner", "SMB", "chmod", "Metasploit", "vbscript", "python", "yaml", "Smoke Loader", "Formbook", "DarkTortilla", "a310Logger", "Mozi" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 730, "hostname": 41, "domain": 11 }, "indicator_count": 782, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/browse/", "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Shamos" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "68a7f6cccd788262b87670e6", "name": "EbeeAugust2025 Pt3", "description": "", "modified": "2025-10-02T14:03:15.669000", "created": "2025-08-22T04:49:16.441000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 219, "FileHash-SHA1": 197, "FileHash-SHA256": 260, "URL": 89, "domain": 180, "email": 4, "hostname": 64 }, "indicator_count": 1016, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aea3a12873f2f36c5aeff9", "name": "aaaaaaaaaaaaaaa", "description": "", "modified": "2025-09-26T06:03:36.196000", "created": "2025-08-27T06:20:17.230000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 4, "domain": 5 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b13ab6c7e7a41bd9000894", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "", "modified": "2025-08-29T05:29:26.526000", "created": "2025-08-29T05:29:26.526000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": "68a79c0be4ebcd6686baeb09", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "276 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68b1341216fd69dda3168c0f", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "", "modified": "2025-08-29T05:01:06.961000", "created": "2025-08-29T05:01:06.961000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": "68a79c0be4ebcd6686baeb09", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "276 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a79c0be4ebcd6686baeb09", "name": "Falcon Platform Prevents COOKIE SPIDER\u2019s SHAMOS Delivery on macOS.", "description": "Between June and August 2025, a malware campaign identified as SHAMOS, a variant of Atomic macOS Stealer (AMOS) linked to the cybercriminal group COOKIE SPIDER, attempted to compromise over 300 environments but was successfully blocked by the CrowdStrike Falcon platform. This campaign utilized malvertising to target users searching for macOS-related issues, redirecting them to malicious websites. Victims were primarily located in multiple countries including the U.S., UK, Japan, and Canada, while the campaign avoided targeting individuals in Russia due to local forum regulations against commodity malware operations.", "modified": "2025-08-21T22:22:03.582000", "created": "2025-08-21T22:22:03.582000", "tags": [ "bash script", "crowdstrike", "gatekeeper", "threat hunting", "ck framework", "shamos", "report", "macho", "insight xdr", "nextgen siem", "podcast", "macos", "ecrime", "sha256", "urls https", "compromise", "iocs", "ioc description", "malvertising", "shamos macho" ], "references": [ "https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America", "Japan", "China", "Colombia", "Canada", "Mexico", "Italy" ], "malware_families": [ { "id": "SHAMOS", "display_name": "SHAMOS", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 6, "domain": 4, "FileHash-MD5": 1, "FileHash-SHA1": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "283 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684a1371679552059c6f93a2", "name": "URLHaus data - 11-06-2025", "description": "", "modified": "2025-07-11T23:01:11.967000", "created": "2025-06-11T23:38:25.042000", "tags": [ "botnetdomain", "censys", "elf", "mirai", "ua-wget", "sh", "gafgyt", "RemcosRAT", "AveMariaRAT", "xworm", "c2-monitor-auto", "dropped-by-amadey", "rev-base64-loader", "VIPKeylogger", "exe", "ftp", "geofenced", "GorillaBotnet", "GorillaStress", ".exe", "AsyncRAT", "connectwise", "rustystealer", "banker", "latam", "trojan", "bash", "wget", "ps1", "hta", "CobaltStrike", "lnk", "xml-opendir", "backdoor", "sshdkit", "hajime", "miner", "gz", "ua-curl", "macho", "CoinMiner", "SMB", "chmod", "Metasploit", "vbscript", "python", "yaml", "Smoke Loader", "Formbook", "DarkTortilla", "a310Logger", "Mozi" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 68, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 730, "hostname": 41, "domain": 11 }, "indicator_count": 782, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "macostutorial.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "macostutorial.com", "found": true, "verdict": "malicious", "url_count": 2, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://macostutorial.com/iterm2/install.sh", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "sh", "ua-curl" ] }, { "url": "https://macostutorial.com/getupdate/update", "status": "offline", "threat": "malware_download", "date_added": "2025-06-11", "tags": [ "macho", "ua-curl" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780309016.184292 }