{ "type": "Domain", "indicator": "main-google-resolver.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/main-google-resolver.com", "alexa": "http://www.alexa.com/siteinfo/main-google-resolver.com", "indicator": "main-google-resolver.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1494853, "indicator": "main-google-resolver.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "586e3cae3d7dcb215f630d90", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.\n\nLater, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate\n\nBased on VirusTotal uploads, malicious documents content, and known victims \u2013 other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "modified": "2018-09-17T21:06:46.086000", "created": "2017-01-05T12:31:42.268000", "tags": [ "oxford", "olirig", "middle east", "VPN Web Portal", "Helminth", "clearskysec" ], "references": [ "http://www.clearskysec.com/oilrig/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Turkey", "Qatar", "Kuwait", "United Arab Emirates", "Saudi Arabia", "Lebanon" ], "malware_families": [], "attack_ids": [], "industries": [ "information technology", "government", "transportation" ], "TLP": "green", "cloned_from": null, "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "2812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58de329c88c71500d0e660b8", "name": "OilRig Campaign Analysis", "description": "The earliest instance where a cyber attack was attributed to the OilRig\ncampaign was in late 2015. To date, two periods of high activity have been\nidentified following the initial attack. These were in May and October 2016.\nAll known samples from these periods used infected Excel files attached to\nphishing emails to infect victims. Once infected, the victim machine can be\ncontrolled by the attacker to perform basic remote-access trojan-like tasks\nincluding command execution and file upload and download.", "modified": "2017-03-31T10:42:35.637000", "created": "2017-03-31T10:42:35.637000", "tags": [ "iran", "oilrig" ], "references": [ "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "United States", "Saudi Arabia", "United Arab Emirates", "Qatar", "Turkey" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-SHA256": 26, "domain": 20, "URL": 8, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "3348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a26e2f66cc507f0eb3c", "name": "OilRig Campaign Analysis", "description": "", "modified": "2023-12-06T13:41:58.409000", "created": "2023-12-06T13:41:58.409000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "domain": 20, "FileHash-MD5": 24, "email": 9, "URL": 8, "hostname": 1, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a0de5c6b07a44dbbad4", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "", "modified": "2023-12-06T13:41:33.476000", "created": "2023-12-06T13:41:33.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "http://www.clearskysec.com/oilrig/", "IOCs.2026.2.csv", "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "related": { "alienvault": { "adversary": [ "OilRig" ], "malware_families": [], "industries": [ "Government", "Information technology", "Finance", "Transportation" ] }, "other": { "adversary": [ "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares" ], "malware_families": [], "industries": [ "Government", "Defense", "Industrial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "586e3cae3d7dcb215f630d90", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015. In recent attacks they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.\n\nLater, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites they hosted malware that was digitally signed with a valid, likely stolen code signing certificate\n\nBased on VirusTotal uploads, malicious documents content, and known victims \u2013 other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.", "modified": "2018-09-17T21:06:46.086000", "created": "2017-01-05T12:31:42.268000", "tags": [ "oxford", "olirig", "middle east", "VPN Web Portal", "Helminth", "clearskysec" ], "references": [ "http://www.clearskysec.com/oilrig/" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "Turkey", "Qatar", "Kuwait", "United Arab Emirates", "Saudi Arabia", "Lebanon" ], "malware_families": [], "attack_ids": [], "industries": [ "information technology", "government", "transportation" ], "TLP": "green", "cloned_from": null, "export_count": 86, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "2812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58de329c88c71500d0e660b8", "name": "OilRig Campaign Analysis", "description": "The earliest instance where a cyber attack was attributed to the OilRig\ncampaign was in late 2015. To date, two periods of high activity have been\nidentified following the initial attack. These were in May and October 2016.\nAll known samples from these periods used infected Excel files attached to\nphishing emails to infect victims. Once infected, the victim machine can be\ncontrolled by the attacker to perform basic remote-access trojan-like tasks\nincluding command execution and file upload and download.", "modified": "2017-03-31T10:42:35.637000", "created": "2017-03-31T10:42:35.637000", "tags": [ "iran", "oilrig" ], "references": [ "https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analysis.pdf" ], "public": 1, "adversary": "OilRig", "targeted_countries": [ "United States", "Saudi Arabia", "United Arab Emirates", "Qatar", "Turkey" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-SHA256": 26, "domain": 20, "URL": 8, "hostname": 1, "FileHash-MD5": 24, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "3348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b6563c0597ac612e644416", "name": "Iranian APT Actors-Pt5", "description": "", "modified": "2026-04-15T09:12:52.422000", "created": "2026-03-15T06:48:28.010000", "tags": [ "filehashsha256", "filehashmd5", "filename", "filehashsha1", "bitcoinaddress", "temp", "port8083 domain", "registry", "cve201711882", "cve20170199" ], "references": [ "IOCs.2026.2.csv" ], "public": 1, "adversary": "Cleaver, Handala, OilRig, RansomHouse, Leafminer, CopyKittens, Muddy Water, Wiper Malwares", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 32, "FileHash-MD5": 261, "FileHash-SHA1": 191, "FileHash-SHA256": 291, "CIDR": 2, "CVE": 4, "domain": 95, "hostname": 23 }, "indicator_count": 899, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a26e2f66cc507f0eb3c", "name": "OilRig Campaign Analysis", "description": "", "modified": "2023-12-06T13:41:58.409000", "created": "2023-12-06T13:41:58.409000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "domain": 20, "FileHash-MD5": 24, "email": 9, "URL": 8, "hostname": 1, "FileHash-SHA1": 4 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707a0de5c6b07a44dbbad4", "name": "Iranian threat agent OilRig delivers digitally signed malware, impersonate University of Oxford", "description": "", "modified": "2023-12-06T13:41:33.476000", "created": "2023-12-06T13:41:33.476000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 34, "hostname": 27, "FileHash-MD5": 22, "email": 10 }, "indicator_count": 93, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "main-google-resolver.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "main-google-resolver.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780258463.9591832 }