{ "type": "Domain", "indicator": "maxolutions243.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/maxolutions243.com", "alexa": "http://www.alexa.com/siteinfo/maxolutions243.com", "indicator": "maxolutions243.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3167082283, "indicator": "maxolutions243.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "698081e8c82411d000808025", "name": "Quick, You Need Assistance!", "description": "A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.", "modified": "2026-03-04T10:03:50.152000", "created": "2026-02-02T10:52:24.545000", "tags": [ "netsupport manager", "cybercrime", "powershell", "amsi bypass", "remote access trojan", "powershell web-socket remote access trojan", "voice-phishing", "quick assist", "microsoft teams" ], "references": [ "https://fieldeffect.com/blog/quick-you-need-assistance" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PowerShell web-socket remote access trojan", "display_name": "PowerShell web-socket remote access trojan", "target": null }, { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-06-01T09:03:58.916000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 553834, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49969, "domain": 75353 }, "indicator_count": 125322, "is_author": false, "is_subscribing": null, "subscriber_count": 1728, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1ab6efb8f3c8da4f6b358c", "name": "GREYVIBE Threat Actor: TTPs, Malware, and Infrastructure Analysis.", "description": "GREYVIBE is a cyber threat actor identified by WithSecure, primarily targeting Ukraine and entities related to Ukraine since August 2025. The group's activities show significant overlaps in their attack infrastructure and operational methodologies, which indicate a persistent campaign aligned with Russian state interests, especially in the context of the Russia-Ukraine war. GREYVIBE's operations have been characterized by the use of various attack vectors, including spear-phishing emails, fake captcha pages, and fraudulent websites impersonating Ukrainian organizations. These methods have facilitated the distribution of malware, predominantly custom-developed variants like PhantomRelay, FallSpy, and LegionRelay.", "modified": "2026-05-30T10:12:00.827000", "created": "2026-05-30T10:07:43.020000", "tags": [ "research", "whitepaper", "mohammad kazem hassan nejad", "2026", "powershell", "fallspy", "legionrelay", "lookvalps", "lookvaljs", "javascript", "daylight", "teasoup", "android spyware", "august", "telegram", "dronelink", "princessclub", "phantomrelayv1", "greyvibe", "domain name", "phantommail", "sha256", "domain", "development", "phantomclick", "club site", "teams", "kongtuke", "april", "nsis", "service", "impacket" ], "references": [ "https://labs.withsecure.com/publications/greyvibe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LegionRelay", "display_name": "LegionRelay", "target": null }, { "id": "DroneLink", "display_name": "DroneLink", "target": null }, { "id": "PrincessClub", "display_name": "PrincessClub", "target": null }, { "id": "PhantomRelayV1", "display_name": "PhantomRelayV1", "target": null }, { "id": "LOOKVALJS", "display_name": "LOOKVALJS", "target": null }, { "id": "GREYVIBE", "display_name": "GREYVIBE", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Military", "Government", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 67, "IPv4": 9, "URL": 3, "hostname": 4 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819ee87302ddd469eeb4dd", "name": "Quick, You Need Assistance!", "description": "", "modified": "2026-03-04T10:03:50.152000", "created": "2026-02-03T07:08:24.417000", "tags": [ "netsupport manager", "cybercrime", "powershell", "amsi bypass", "remote access trojan", "powershell web-socket remote access trojan", "voice-phishing", "quick assist", "microsoft teams" ], "references": [ "https://fieldeffect.com/blog/quick-you-need-assistance" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PowerShell web-socket remote access trojan", "display_name": "PowerShell web-socket remote access trojan", "target": null }, { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698081e8c82411d000808025", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://fieldeffect.com/blog/quick-you-need-assistance", "https://labs.withsecure.com/publications/greyvibe", "IOCs.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Powershell web-socket remote access trojan", "Netsupport manager" ], "industries": [] }, "other": { "adversary": [ "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer" ], "malware_families": [ "Powershell web-socket remote access trojan", "Netsupport manager", "Legionrelay", "Greyvibe", "Dronelink", "Princessclub", "Phantomrelayv1", "Lookvaljs" ], "industries": [ "Military", "Government", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "698081e8c82411d000808025", "name": "Quick, You Need Assistance!", "description": "A Microsoft Teams voice-phishing campaign leveraging Quick Assist, a remote administration tool, was tracked in September 2025. The campaign uses help desk scams to gain initial access, followed by user group enumeration and the execution of a PowerShell script to download a command and control payload. The attack employs AMSI bypass, encrypted communications, and a web-socket remote access trojan. Multiple Microsoft 365 tenants with IT-related subdomains were used, along with various IPs and domains for C2 infrastructure. The campaign shows similarities to Storm-1811 and PhantomCaptcha activities, suggesting a complex cybercrime ecosystem. The attackers' ultimate goal may be ransomware deployment, although observed attempts were successfully blocked.", "modified": "2026-03-04T10:03:50.152000", "created": "2026-02-02T10:52:24.545000", "tags": [ "netsupport manager", "cybercrime", "powershell", "amsi bypass", "remote access trojan", "powershell web-socket remote access trojan", "voice-phishing", "quick assist", "microsoft teams" ], "references": [ "https://fieldeffect.com/blog/quick-you-need-assistance" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PowerShell web-socket remote access trojan", "display_name": "PowerShell web-socket remote access trojan", "target": null }, { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386662, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-06-01T09:03:58.916000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 553834, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49969, "domain": 75353 }, "indicator_count": 125322, "is_author": false, "is_subscribing": null, "subscriber_count": 1728, "modified_text": "3 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1ab6efb8f3c8da4f6b358c", "name": "GREYVIBE Threat Actor: TTPs, Malware, and Infrastructure Analysis.", "description": "GREYVIBE is a cyber threat actor identified by WithSecure, primarily targeting Ukraine and entities related to Ukraine since August 2025. The group's activities show significant overlaps in their attack infrastructure and operational methodologies, which indicate a persistent campaign aligned with Russian state interests, especially in the context of the Russia-Ukraine war. GREYVIBE's operations have been characterized by the use of various attack vectors, including spear-phishing emails, fake captcha pages, and fraudulent websites impersonating Ukrainian organizations. These methods have facilitated the distribution of malware, predominantly custom-developed variants like PhantomRelay, FallSpy, and LegionRelay.", "modified": "2026-05-30T10:12:00.827000", "created": "2026-05-30T10:07:43.020000", "tags": [ "research", "whitepaper", "mohammad kazem hassan nejad", "2026", "powershell", "fallspy", "legionrelay", "lookvalps", "lookvaljs", "javascript", "daylight", "teasoup", "android spyware", "august", "telegram", "dronelink", "princessclub", "phantomrelayv1", "greyvibe", "domain name", "phantommail", "sha256", "domain", "development", "phantomclick", "club site", "teams", "kongtuke", "april", "nsis", "service", "impacket" ], "references": [ "https://labs.withsecure.com/publications/greyvibe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LegionRelay", "display_name": "LegionRelay", "target": null }, { "id": "DroneLink", "display_name": "DroneLink", "target": null }, { "id": "PrincessClub", "display_name": "PrincessClub", "target": null }, { "id": "PhantomRelayV1", "display_name": "PhantomRelayV1", "target": null }, { "id": "LOOKVALJS", "display_name": "LOOKVALJS", "target": null }, { "id": "GREYVIBE", "display_name": "GREYVIBE", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [ "Military", "Government", "Energy" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 55, "FileHash-MD5": 14, "FileHash-SHA1": 13, "FileHash-SHA256": 67, "IPv4": 9, "URL": 3, "hostname": 4 }, "indicator_count": 165, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819ee87302ddd469eeb4dd", "name": "Quick, You Need Assistance!", "description": "", "modified": "2026-03-04T10:03:50.152000", "created": "2026-02-03T07:08:24.417000", "tags": [ "netsupport manager", "cybercrime", "powershell", "amsi bypass", "remote access trojan", "powershell web-socket remote access trojan", "voice-phishing", "quick assist", "microsoft teams" ], "references": [ "https://fieldeffect.com/blog/quick-you-need-assistance" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PowerShell web-socket remote access trojan", "display_name": "PowerShell web-socket remote access trojan", "target": null }, { "id": "NetSupport Manager", "display_name": "NetSupport Manager", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "698081e8c82411d000808025", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "URL": 2 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "maxolutions243.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "maxolutions243.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780315698.7153022 }