{ "type": "Domain", "indicator": "maximumservers.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/maximumservers.net", "alexa": "http://www.alexa.com/siteinfo/maximumservers.net", "indicator": "maximumservers.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3542184420, "indicator": "maximumservers.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 30, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386600, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513b48fc15b29e096cc0883", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T04:01:31.874000", "created": "2023-09-27T04:50:23.854000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513dba95e9f04e377e80ec6", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:37:13.684000", "created": "2023-09-27T07:37:13.684000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6513d2f4bd7a777522384d5c", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d2f4bd7a777522384d5c", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:00:04.025000", "created": "2023-09-27T07:00:04.025000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d29aa4726d5d22c9dbc9", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T06:58:34.207000", "created": "2023-09-27T06:58:34.207000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "977 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a09af58f85f39cb9fdd0", "name": "Threatview.io C2 Hunt Feed", "description": "Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:03:54.265000", "tags": [ "hunter", "pm utc", "am utc", "september", "august", "february", "january", "june", "april", "october", "media", "date", "comment" ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 543, "hostname": 120 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64adf7016a7b4ab586b0e9a0", "name": "a", "description": "", "modified": "2023-07-12T00:42:41.650000", "created": "2023-07-12T00:42:41.650000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": "634d4502bf3dba0db45b94b1", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "alienvaultyeyeleeas", "id": "237476", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "1055 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "634d45069bd7a94c865b63fe", "name": "Cobalt Strike C2 | 10/10/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 10/10/2022.", "modified": "2022-11-16T00:01:47.762000", "created": "2022-10-17T12:05:26.478000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "634d4502bf3dba0db45b94b1", "name": "Cobalt Strike Servers & C2 | 10/10/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 10/10/2022.", "modified": "2022-11-16T00:01:47.762000", "created": "2022-10-17T12:05:22.221000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63440a72bf909b9d5ae243d9", "name": "Cobalt Strike C2 | 10/03/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 10/03/2022.", "modified": "2022-11-09T00:03:32.403000", "created": "2022-10-10T12:05:06.796000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1300 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63440a6eb04ff58541ca2d32", "name": "Cobalt Strike Servers & C2 | 10/03/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 10/03/2022.", "modified": "2022-11-09T00:03:32.403000", "created": "2022-10-10T12:05:02.812000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1300 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633acfdd2a37e5a86ea722df", "name": "Cobalt Strike C2 | 09/26/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/26/2022.", "modified": "2022-11-02T00:03:22.684000", "created": "2022-10-03T12:04:45.197000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633acfdabbb4d987e51f72cd", "name": "Cobalt Strike Servers & C2 | 09/26/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/26/2022.", "modified": "2022-11-02T00:03:22.684000", "created": "2022-10-03T12:04:42.746000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633195623f657ee1f67a703c", "name": "Cobalt Strike C2 | 09/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/19/2022.", "modified": "2022-10-26T00:03:18.189000", "created": "2022-09-26T12:04:50.661000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "1314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6331956040a253134deba5a5", "name": "Cobalt Strike Servers & C2 | 09/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/19/2022.", "modified": "2022-10-26T00:03:18.189000", "created": "2022-09-26T12:04:48.236000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6310a632fb47887dc1beb0ef", "name": "CSIRT - POST Luxembourg - CTI Feed / 09-2022", "description": "CSIRT - POST Luxembourg", "modified": "2022-10-19T06:16:15.572000", "created": "2022-09-01T12:31:46.586000", "tags": [ "Phishing", "Scam", "Malware" ], "references": [ "Cyber Threat Intelligence", "CyberSOS", "CSIRT POST Luxembourg" ], "public": 1, "adversary": "", "targeted_countries": [ "Luxembourg" ], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [ "Telecommunications", "Government" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "TonyJabbour", "id": "162196", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_162196/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 285, "hostname": 162, "URL": 153, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 39 }, "indicator_count": 677, "is_author": false, "is_subscribing": null, "subscriber_count": 24, "modified_text": "1320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63285aed18a5213ce5640e6d", "name": "Cobalt Strike C2 | 09/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/12/2022.", "modified": "2022-10-19T00:05:03.577000", "created": "2022-09-19T12:05:01.708000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63285aebad35eb7ee1046b80", "name": "Cobalt Strike Servers & C2 | 09/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/12/2022.", "modified": "2022-10-19T00:05:03.577000", "created": "2022-09-19T12:04:59.048000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "631f206c5854bcf38c2c30c8", "name": "Cobalt Strike C2 | 09/05/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/05/2022.", "modified": "2022-10-12T00:05:41.896000", "created": "2022-09-12T12:05:00.475000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "1328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "631f20691b7a824546287c13", "name": "Cobalt Strike Servers & C2 | 09/05/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/05/2022.", "modified": "2022-10-12T00:05:41.896000", "created": "2022-09-12T12:04:57.307000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6315e61d2cbe1272834ee672", "name": "Cobalt Strike C2 | 08/29/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 08/29/2022.", "modified": "2022-10-05T00:01:41.930000", "created": "2022-09-05T12:05:49.110000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "630cab765ef425aafa5d5ccb", "name": "Cobalt Strike C2 | 08/22/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 08/22/2022.", "modified": "2022-09-28T00:00:00.253000", "created": "2022-08-29T12:05:10.111000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1342 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "Aug1.pdf", "CyberSOS", "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt", "https://www.group-ib.com/blog/shadowsyndicate-raas/", "Cyber Threat Intelligence", "CSIRT POST Luxembourg" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "", "Cobalt strike - s0154" ], "industries": [ "Telecommunications", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 30, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386600, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513b48fc15b29e096cc0883", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T04:01:31.874000", "created": "2023-09-27T04:50:23.854000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "maximumservers.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "maximumservers.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780278487.2181876 }