{ "type": "Domain", "indicator": "mail-verify.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mail-verify.com", "alexa": "http://www.alexa.com/siteinfo/mail-verify.com", "indicator": "mail-verify.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 9217, "indicator": "mail-verify.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386513, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a816f8ee7ab90c16763e4e", "name": "NewDom-2-20220614", "description": "ICANN-Dom", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-14T05:04:56.602000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://attack.mitre.org/groups/G0130/", "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "related": { "alienvault": { "adversary": [ "Rocket Kitten" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Ajax Security Team" ], "malware_families": [ "Ghole", "Hoffman", "Flying kitten", "Bkdr_ghole.b.", "Detected gholee", "Ishak", "Rocket kitten", "Tspy_woolerg.a." ], "industries": [ "Government", "Defense", "Aerospace" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "5640d95e67db8c7a156aeaaa", "name": "Rocket Kitten: A campaign with 9 lives", "description": "Since early 2014, an attacker group of Iranian origin has been actively targeting persons\nof interest by means of malware infection, supported by persistent spear phishing\ncampaigns. This cyber-espionage group was dubbed \u2018Rocket Kitten,\u2019 and remains active\nas of this writing, with reported attacks as recent as October 2015.\nThe Rocket Kitten group and its attacks have been analyzed on numerous occasions by\nseveral vendors and security professionals, resulting in various reports describing the\ngroup\u2019s method of operation, tools and techniques.\nCharacterized by relatively unsophisticated technical merit and extensive use of spear\nphishing, the group targeted individuals and organizations in the Middle East (including\ntargets inside Iran itself), as well as across Europe and in the United States.", "modified": "2017-08-23T14:00:07.639000", "created": "2015-11-09T17:35:26.197000", "tags": [ "rocket kitten", "newscaster", "Saffron rose", "iran", "Gholee", "CWoolger", "MPK", "Havij", "acunetix", "NetSparker", "checkpoint" ], "references": [ "http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 59, "upvotes_count": 7.0, "downvotes_count": 0.0, "votes_count": 7.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 25, "FileHash-MD5": 73, "FileHash-SHA1": 66, "YARA": 4 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 386513, "modified_text": "3202 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "556f64deb45ff51f05cfbb9e", "name": "Thamar Reservoir \u2013 An Iranian cyber-attack campaign", "description": "This report reviews an ongoing cyber-attack campaign dating back to mid-2014. Additional sources indicate this it may have origins as far back as 2011. We call this campaign Thamar Reservoir, named for one of the targets, Thamar E. Gindin, which exposed new information about the attack and is currently assisting with the investigation.", "modified": "2017-03-07T15:01:49.598000", "created": "2015-06-03T20:34:38.801000", "tags": [ "iran", "spearphishing", "phishing", "israel", "Gholee", "Rocket Kitten", "WOOLEN GOLDFISH", "Ajax Security Team", "Newscaster", "CWoolger", "Middle East" ], "references": [ "http://www.clearskysec.com/wp-content/uploads/2015/06/Thamar-Reservoir-public.pdf" ], "public": 1, "adversary": "Rocket Kitten", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "domain": 7, "hostname": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "email": 1 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 386517, "modified_text": "3371 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a816f8ee7ab90c16763e4e", "name": "NewDom-2-20220614", "description": "ICANN-Dom", "modified": "2022-07-29T00:00:24.010000", "created": "2022-06-14T05:04:56.602000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 201, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mail-verify.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mail-verify.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780205676.6788075 }