{ "type": "Domain", "indicator": "mailservicess.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mailservicess.com", "alexa": "http://www.alexa.com/siteinfo/mailservicess.com", "indicator": "mailservicess.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3888622317, "indicator": "mailservicess.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "68af30b96e802c733e0c8b8a", "name": "UNC Cluster Targeting South Asian Countries", "description": "A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.", "modified": "2025-08-27T19:32:13.204000", "created": "2025-08-27T16:22:17.263000", "tags": [ "android malware", "rafel rat", "information stealer", "credential theft", "phishing", "military targets", "south asian apt", "remote access" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft" ], "public": 1, "adversary": "", "targeted_countries": [ "Bangladesh", "British Indian Ocean Territory", "India", "Pakistan", "Sri Lanka" ], "malware_families": [ { "id": "Rafel Rat", "display_name": "Rafel Rat", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 12, "hostname": 36 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 386997, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a00eef29b122fc211e1a85c", "name": "Copy of 5[.]1[.]0[.]0 - 05.10.26", "description": "If I didn't know better, I would guess that is AWS, Fastly, Cloudflare botnet activity Targetting Urkraine\n\nOrigin: Edmonton, Alnerta", "modified": "2026-05-10T20:47:46.993000", "created": "2026-05-10T20:47:46.993000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 370, "IPv4": 572, "IPv6": 1, "URL": 77, "domain": 35, "hostname": 134 }, "indicator_count": 1250, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef29ab2d06e6cba9971e4", "name": "Strike Ready", "description": "A South Asian APT has been targeting military-adjacent people in Pakistan, Sri Lanka, Pakistan and Turkey, exposing novel tooling and a new generation of malware that targets those who work in the military.", "modified": "2025-08-27T11:57:14.297000", "created": "2025-08-27T11:57:14.297000", "tags": [ "#apt #india #pakistan #bangladesh #srilanka #turkey #apk", "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Sri Lanka", "Bangladesh", "Pakistan", "T\u00fcrkiye" ], "malware_families": [ { "id": "Asian", "display_name": "Asian", "target": null }, { "id": "Rafel", "display_name": "Rafel", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 14, "hostname": 36 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac0946e610dfc8e94effb2", "name": "APT: Android, Phishing, microsofT.", "description": "A South Asian Advanced Persistent Threat (APT) group has been actively targeting individuals associated with military and defense sectors in Sri Lanka, Bangladesh, Pakistan, and Turkey. This threat actor employs a combination of sophisticated techniques to compromise mobile devices, particularly Android phones. The group's infrastructure and novel malware tooling have been designed to bypass security measures and facilitate espionage operations.", "modified": "2025-08-25T06:57:10.605000", "created": "2025-08-25T06:57:10.605000", "tags": [ "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 5, "domain": 15, "hostname": 62, "email": 4 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "281 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670e79d0083d46c0532d2602", "name": "5[.]1[.]0[.]0 - Windows NT & Program Files IE - 10.15.24", "description": "Hgkghk, \u00c2\u00a31.1m, is the latest in a series of names to be added to the list of domain names that can be used to track users' activity.\nWorking my way around this Pesky IP", "modified": "2024-11-14T14:02:16.695000", "created": "2024-10-15T14:18:56.639000", "tags": [ "entity", "Windows NT", "Internet Explorer", "Program Files" ], "references": [ "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 41, "FileHash-SHA1": 38, "FileHash-SHA256": 256, "domain": 21, "hostname": 131 }, "indicator_count": 564, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c32b96844cee003e1cb8ec", "name": "QWERTY INFORMATION STEALER - CYFIRMA", "description": "", "modified": "2024-09-18T11:03:45.294000", "created": "2024-08-19T11:25:10.982000", "tags": [ "c2 server", "windows api", "username", "http post", "frankfurt", "germany", "qwerty", "qwerty info", "stealer", "vps server", "main" ], "references": [ "https://www.cyfirma.com/research/qwerty-information-stealer/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6684ddb81f457884672174ce", "name": "Suss & Suspicious dlls", "description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened", "modified": "2024-08-23T15:00:34.872000", "created": "2024-07-03T05:12:24.970000", "tags": [ "entity", "please", "javascript", "suss", "hidden", "false file", "description", "hash", "suspicious", "duck duck", "comodo security", "solutions", "inc hash", "intel", "compiler", "loader" ], "references": [ "https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph", "07.02.24 - dos - DLLExplorer.log" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [ "Technology", "Education", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3627, "FileHash-SHA1": 937, "FileHash-SHA256": 28560, "hostname": 5477, "domain": 8215, "URL": 10147, "email": 7, "CIDR": 2 }, "indicator_count": 56972, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c49653c9b595efacb2eec6", "name": "QWERTY Info Stealer Targets Windows", "description": "", "modified": "2024-08-20T13:12:51.169000", "created": "2024-08-20T13:12:51.169000", "tags": [ "hashes", "sha256", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "651 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669c42e405d9f83d63b4070b", "name": "URLHaus data - 20-07-2024", "description": "", "modified": "2024-08-19T23:00:37.357000", "created": "2024-07-20T23:06:12.305000", "tags": [ "32-bit", "elf", "mips", "Mozi", "dropped-by-PrivateLoader", "encrypted", "CoinMiner", "sh", "config", "json", "mirai", "AsyncRAT", "BlankGrabber", "exe", "opendir", "bolo", "gafgyt", "64", "arm", "32", "bashlite", "intel", "hajime", "trojan", "64-bit", "scr", "zip", "lnk" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1702, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 2, "domain": 3 }, "indicator_count": 1005, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "652 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6652ab47625ee4cf5c7c9133", "name": "Foxit PDF \u201cFlawed Design\u201d Exploitation - Check Point Research", "description": "", "modified": "2024-06-25T03:01:55.092000", "created": "2024-05-26T03:23:51.939000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "april", "first", "remcos", "body", "virustotal", "february", "korean", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit", "protect", "path", "screen" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "text_account", "id": "221593", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "FileHash-MD5": 27, "FileHash-SHA1": 26, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "708 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664d2d8a4b164cda98ac3bbd", "name": "Foxit PDF Reader Flaw Exploited by Hackers to Deliver Diverse Malware Arsenal", "description": "Multiple threat actors are exploiting a flaw in Foxit PDF Reader, deploying various malware like Agent Tesla, AsyncRAT, and Remcos RAT. Unlike Adobe Acrobat Reader, Foxit's vulnerability leads to a low detection rate, as it defaults to \"OK\" in security warnings, making users prone to executing harmful commands.", "modified": "2024-06-20T23:02:03.274000", "created": "2024-05-21T23:26:02.058000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "first", "remcos", "body", "virustotal", "february", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "FileHash-MD5": 27, "FileHash-SHA1": 26, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "712 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66447258c33a5f25aa4c788f", "name": "Foxit PDF \u201cFlawed Design\u201d Exploitation - Check Point Research", "description": "", "modified": "2024-06-14T08:05:17.527000", "created": "2024-05-15T08:29:12.510000", "tags": [ "code", "check point", "python", "research", "aptc35", "donot team", "vbscript", "createobject", "pdf file", "foxit reader", "powershell", "fuckcrypt", "facebook", "shellcode", "downloader", "april", "first", "remcos", "body", "virustotal", "february", "korean", "launch", "uploader", "open", "comment", "nanocore rat", "android", "rafel rat", "sliver", "cobalt strike", "loader", "john", "julia", "uacbypass", "bypass", "discord", "null", "dcom", "template", "generic", "exploit", "protect", "path", "screen" ], "references": [ "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 23, "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 39, "YARA": 3, "domain": 6, "hostname": 3 }, "indicator_count": 125, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "718 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://strikeready.com/blog/apt-android-phishing-microsoft/", "https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph", "https://www.cyfirma.com/research/qwerty-information-stealer/", "https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://strikeready.com/blog/apt-android-phishing-microsoft", "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://urlhaus.abuse.ch/browse/", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary", "07.02.24 - dos - DLLExplorer.log", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Rafel rat" ], "industries": [ "Government", "Defense" ] }, "other": { "adversary": [], "malware_families": [ "Rafel", "Asian" ], "industries": [ "Government", "Education", "Technology", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "68af30b96e802c733e0c8b8a", "name": "UNC Cluster Targeting South Asian Countries", "description": "A South Asian APT group has been consistently targeting Sri Lanka, Bangladesh, Pakistan, and Turkey. The operation involves phishing campaigns using military-themed lures to compromise phones of military personnel. The attackers employ various tactics, including PDF phishing documents, fake login pages for government and military organizations, and malicious Android apps. The Android malware, based on the Rafel Rat, steals information and provides remote access. Victims are primarily from South Asian countries, with stolen data including SMS messages, contact lists, and documents. The operation also uses Windows malware with the same command and control infrastructure.", "modified": "2025-08-27T19:32:13.204000", "created": "2025-08-27T16:22:17.263000", "tags": [ "android malware", "rafel rat", "information stealer", "credential theft", "phishing", "military targets", "south asian apt", "remote access" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft" ], "public": 1, "adversary": "", "targeted_countries": [ "Bangladesh", "British Indian Ocean Territory", "India", "Pakistan", "Sri Lanka" ], "malware_families": [ { "id": "Rafel Rat", "display_name": "Rafel Rat", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 12, "hostname": 36 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 386997, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a00eef29b122fc211e1a85c", "name": "Copy of 5[.]1[.]0[.]0 - 05.10.26", "description": "If I didn't know better, I would guess that is AWS, Fastly, Cloudflare botnet activity Targetting Urkraine\n\nOrigin: Edmonton, Alnerta", "modified": "2026-05-10T20:47:46.993000", "created": "2026-05-10T20:47:46.993000", "tags": [], "references": [ "https://www.virustotal.com/graph/embed/gd6bc2ac4a2bd4707b7287f9643acea44af35721b1f3243b385313ddc60862e0a?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 370, "IPv4": 572, "IPv6": 1, "URL": 77, "domain": 35, "hostname": 134 }, "indicator_count": 1250, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aef29ab2d06e6cba9971e4", "name": "Strike Ready", "description": "A South Asian APT has been targeting military-adjacent people in Pakistan, Sri Lanka, Pakistan and Turkey, exposing novel tooling and a new generation of malware that targets those who work in the military.", "modified": "2025-08-27T11:57:14.297000", "created": "2025-08-27T11:57:14.297000", "tags": [ "#apt #india #pakistan #bangladesh #srilanka #turkey #apk", "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Sri Lanka", "Bangladesh", "Pakistan", "T\u00fcrkiye" ], "malware_families": [ { "id": "Asian", "display_name": "Asian", "target": null }, { "id": "Rafel", "display_name": "Rafel", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 5, "domain": 14, "hostname": 36 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "279 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac0946e610dfc8e94effb2", "name": "APT: Android, Phishing, microsofT.", "description": "A South Asian Advanced Persistent Threat (APT) group has been actively targeting individuals associated with military and defense sectors in Sri Lanka, Bangladesh, Pakistan, and Turkey. This threat actor employs a combination of sophisticated techniques to compromise mobile devices, particularly Android phones. The group's infrastructure and novel malware tooling have been designed to bypass security measures and facilitate espionage operations.", "modified": "2025-08-25T06:57:10.605000", "created": "2025-08-25T06:57:10.605000", "tags": [ "strong", "general", "dgdp", "bangladesh", "government", "bangladesh air", "figure", "ministry", "chief", "army staff", "android", "phishing", "decoy", "demo", "phish", "first", "demon", "rafel rat", "april", "february", "asian", "rafel" ], "references": [ "https://strikeready.com/blog/apt-android-phishing-microsoft/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 5, "domain": 15, "hostname": 62, "email": 4 }, "indicator_count": 117, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "281 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670e79d0083d46c0532d2602", "name": "5[.]1[.]0[.]0 - Windows NT & Program Files IE - 10.15.24", "description": "Hgkghk, \u00c2\u00a31.1m, is the latest in a series of names to be added to the list of domain names that can be used to track users' activity.\nWorking my way around this Pesky IP", "modified": "2024-11-14T14:02:16.695000", "created": "2024-10-15T14:18:56.639000", "tags": [ "entity", "Windows NT", "Internet Explorer", "Program Files" ], "references": [ "https://www.virustotal.com/graph/embed/g4ba19a7ec3564c599b1b8d19935cc3ccb7b538708e9b4a3b9048ec86e0062e01?theme=dark", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/iocs", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/community", "https://www.virustotal.com/gui/collection/a5dc2ae56e9df5e39030274a91a061120d8e57309aed6be14334f7bfd5264726/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 77, "FileHash-MD5": 41, "FileHash-SHA1": 38, "FileHash-SHA256": 256, "domain": 21, "hostname": 131 }, "indicator_count": 564, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "565 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c32b96844cee003e1cb8ec", "name": "QWERTY INFORMATION STEALER - CYFIRMA", "description": "", "modified": "2024-09-18T11:03:45.294000", "created": "2024-08-19T11:25:10.982000", "tags": [ "c2 server", "windows api", "username", "http post", "frankfurt", "germany", "qwerty", "qwerty info", "stealer", "vps server", "main" ], "references": [ "https://www.cyfirma.com/research/qwerty-information-stealer/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 1, "domain": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6684ddb81f457884672174ce", "name": "Suss & Suspicious dlls", "description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened", "modified": "2024-08-23T15:00:34.872000", "created": "2024-07-03T05:12:24.970000", "tags": [ "entity", "please", "javascript", "suss", "hidden", "false file", "description", "hash", "suspicious", "duck duck", "comodo security", "solutions", "inc hash", "intel", "compiler", "loader" ], "references": [ "https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs", "https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph", "07.02.24 - dos - DLLExplorer.log" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [ "Technology", "Education", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3627, "FileHash-SHA1": 937, "FileHash-SHA256": 28560, "hostname": 5477, "domain": 8215, "URL": 10147, "email": 7, "CIDR": 2 }, "indicator_count": 56972, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "648 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c49653c9b595efacb2eec6", "name": "QWERTY Info Stealer Targets Windows", "description": "", "modified": "2024-08-20T13:12:51.169000", "created": "2024-08-20T13:12:51.169000", "tags": [ "hashes", "sha256", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "651 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669c42e405d9f83d63b4070b", "name": "URLHaus data - 20-07-2024", "description": "", "modified": "2024-08-19T23:00:37.357000", "created": "2024-07-20T23:06:12.305000", "tags": [ "32-bit", "elf", "mips", "Mozi", "dropped-by-PrivateLoader", "encrypted", "CoinMiner", "sh", "config", "json", "mirai", "AsyncRAT", "BlankGrabber", "exe", "opendir", "bolo", "gafgyt", "64", "arm", "32", "bashlite", "intel", "hajime", "trojan", "64-bit", "scr", "zip", "lnk" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1702, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1000, "hostname": 2, "domain": 3 }, "indicator_count": 1005, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "652 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mailservicess.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mailservicess.com", "found": true, "verdict": "malicious", "url_count": 6, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "http://mailservicess.com/res/data/i.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] }, { "url": "http://mailservicess.com/res/data/in.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] }, { "url": "https://mailservicess.com/res/data/i.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] }, { "url": "https://mailservicess.com/res/data/in.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] }, { "url": "http://mailservicess.com/res/data/up.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] }, { "url": "https://mailservicess.com/res/data/up.exe", "status": "offline", "threat": "malware_download", "date_added": "2024-07-20", "tags": [ "exe", "opendir" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780458248.1458125 }