{ "type": "Domain", "indicator": "megupdate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/megupdate.com", "alexa": "http://www.alexa.com/siteinfo/megupdate.com", "indicator": "megupdate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3901427574, "indicator": "megupdate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "67ea2ad332f874a45a095bed", "name": "Fake Zoom Ends in BlackSuit Ransomware", "description": "A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.", "modified": "2025-04-30T05:03:26.069000", "created": "2025-03-31T05:40:35.114000", "tags": [ "brute ratel", "cobalt strike", "sectoprat", "proxy", "lateral movement", "exfiltration", "blacksuit", "d3f@ckloader", "ransomware", "qdoor" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Brute Ratel", "display_name": "Brute Ratel", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "QDoor", "display_name": "QDoor", "target": null }, { "id": "d3f@ckloader", "display_name": "d3f@ckloader", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "396 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T00:08:02.925000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 160684, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49120, "domain": 83968 }, "indicator_count": 133088, "is_author": false, "is_subscribing": null, "subscriber_count": 1574, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67efa39a268c4f13cd51f0d5", "name": "Fake Zoom Installer Delivers BlackSuit Ransomware via RDP Exploitation and Multi-Stage Payloads", "description": "This campaign primarily targets users who download and install a trojanized Zoom installer from a malicious website impersonating the legitimate Zoom download page. The attack exploits user trust in the Zoom application to deliver malware, enabling threat actors to gain unauthorized remote access and deploy ransomware.", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:17:14.923000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef2c7984e7a6c5db88a1d0", "name": "Threat Actor Deploys Ransomware Through Fake Zoom Download", "description": "A threat actor group leveraged a malicious zoom file to infiltrate corporate\nenvironments. This was observed after this group silently targeted an corporate\nenvironment for nine days before deploying dangerous blacksuite ransomware.", "modified": "2025-05-04T00:01:23.300000", "created": "2025-04-04T00:48:56.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee15ce9c628068fb99a180", "name": "DarkCloud Malware Targets Windows Devices", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not be published until the end of the year, but", "modified": "2025-05-03T04:00:22.115000", "created": "2025-04-03T04:59:58.329000", "tags": [ "ckloader", "sectoprat", "brute ratel", "cobalt strike", "qdoor" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 7, "hostname": 3, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 36 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebd3178ffaad1ed213c2e3", "name": "Fake Zoom Ends in BlackSuit Ransomware – The DFIR Report", "description": "A look back at some of the key moments in a cyber-attack that took place in May 2024 and led to BlackSuit ransomware being successfully executed across all Windows systems, including the entire Windows operating system.", "modified": "2025-05-01T11:03:54.851000", "created": "2025-04-01T11:50:47.731000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ea98de56c6392506302862", "name": "Apache Tomcat Vulnerability Actively Exploited to Carry out Remote Code Execution", "description": "", "modified": "2025-04-30T13:03:09.683000", "created": "2025-03-31T13:30:06.403000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ea99af04575f0c6ab56de1", "name": "Threat Actor Deploys Ransomware Through Fake Zoom Download", "description": "", "modified": "2025-04-30T13:03:09.683000", "created": "2025-03-31T13:33:35.859000", "tags": [ "ckloader", "sectoprat", "brute ratel", "cobalt strike", "qdoor" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb482b729f8c69eeb3b70d", "name": "IOC - Fake Zoom Ends in BlackSuit Ransomware", "description": "", "modified": "2025-04-30T05:03:26.069000", "created": "2025-04-01T01:58:03.398000", "tags": [ "brute ratel", "cobalt strike", "sectoprat", "proxy", "lateral movement", "exfiltration", "blacksuit", "d3f@ckloader", "ransomware", "qdoor" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Brute Ratel", "display_name": "Brute Ratel", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "QDoor", "display_name": "QDoor", "target": null }, { "id": "d3f@ckloader", "display_name": "d3f@ckloader", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": "67ea2ad332f874a45a095bed", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "396 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb2c82f6d5abd9d68f1e47", "name": "Blacksuite Ransomware", "description": "Blacksuite Ransomware; last update : 27/08/2024", "modified": "2024-09-26T10:02:17.150000", "created": "2024-08-13T09:50:58.558000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-SHA256": 32, "URL": 11, "domain": 22, "hostname": 5, "FileHash-MD5": 5, "FileHash-SHA1": 5 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66c3d0099e7958c7219e138d", "name": "Weekly OSINT Highlights, 19 August 2024", "description": "", "modified": "2024-09-18T23:04:39.329000", "created": "2024-08-19T23:06:49.761000", "tags": [ "OSINT" ], "references": [ "https://community.riskiq.com/article/256c3cbd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "FileHash-SHA1": 28, "domain": 73, "hostname": 17, "FileHash-SHA256": 111, "FileHash-MD5": 31 }, "indicator_count": 278, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6654138435c5832ca2c4028f", "name": "DOH Domains IOCs", "description": "The following is a full list of items that you might not have known existed::..com, or, if you were interested in them, are the most likely ones to come up with", "modified": "2024-08-26T04:12:43.497000", "created": "2024-05-27T05:00:52.918000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fueledbycoffeeDXB", "id": "272228", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 1335, "hostname": 667 }, "indicator_count": 2009, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "643 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666ca83668b304ff8068b15c", "name": "IB-24-10067 New BlackSuit Ransomware Indicators of Compromise Observed in Information Technology Sector", "description": "", "modified": "2024-07-14T20:02:05.927000", "created": "2024-06-14T20:29:42.761000", "tags": [ "ck technnique", "behavior", "green", "discovery", "impact", "ipv4addr", "ip watchlist", "access token", "manipulation", "t1134", "comment", "execution" ], "references": [ "IB-24-10067.stix.xml", "IB-24-10067.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cct_octi", "id": "283983", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2, "hostname": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "685 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators", "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/", "https://community.riskiq.com/article/256c3cbd", "IB-24-10067.stix.xml", "IB-24-10067.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "D3f@ckloader", "Sectoprat", "Blacksuit", "Qdoor", "Cobalt strike - s0154", "Brute ratel" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "D3f@ckloader", "Sectoprat", "Blacksuit", "Nids", "Qdoor", "Cobalt strike - s0154", "Cobalt strike", "Brute ratel" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "67ea2ad332f874a45a095bed", "name": "Fake Zoom Ends in BlackSuit Ransomware", "description": "A malicious website mimicking Zoom led to the installation of a trojanized installer, initiating a multi-stage attack. The initial payload, d3f@ckloader, downloaded additional components, including SectopRAT. After nine days, the threat actor deployed Brute Ratel and Cobalt Strike beacons for lateral movement. They used various techniques for discovery and credential access, including LSASS memory dumping. The attacker employed QDoor for proxying RDP connections, facilitating data collection and exfiltration via the cloud service Bublup. The intrusion culminated in the deployment of BlackSuit ransomware across multiple systems using PsExec, with a total time to ransomware of 194 hours over nine days.", "modified": "2025-04-30T05:03:26.069000", "created": "2025-03-31T05:40:35.114000", "tags": [ "brute ratel", "cobalt strike", "sectoprat", "proxy", "lateral movement", "exfiltration", "blacksuit", "d3f@ckloader", "ransomware", "qdoor" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Brute Ratel", "display_name": "Brute Ratel", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "QDoor", "display_name": "QDoor", "target": null }, { "id": "d3f@ckloader", "display_name": "d3f@ckloader", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "396 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "628dff37032808c7c9e014dc", "name": "Sauron - Malware Domain Feed V2", "description": "Command and Control domains for Sauron. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T00:08:02.925000", "created": "2022-05-25T10:04:39.623000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 160684, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49120, "domain": 83968 }, "indicator_count": 133088, "is_author": false, "is_subscribing": null, "subscriber_count": 1574, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67efa39a268c4f13cd51f0d5", "name": "Fake Zoom Installer Delivers BlackSuit Ransomware via RDP Exploitation and Multi-Stage Payloads", "description": "This campaign primarily targets users who download and install a trojanized Zoom installer from a malicious website impersonating the legitimate Zoom download page. The attack exploits user trust in the Zoom application to deliver malware, enabling threat actors to gain unauthorized remote access and deploy ransomware.", "modified": "2025-05-04T09:00:06.184000", "created": "2025-04-04T09:17:14.923000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef2c7984e7a6c5db88a1d0", "name": "Threat Actor Deploys Ransomware Through Fake Zoom Download", "description": "A threat actor group leveraged a malicious zoom file to infiltrate corporate\nenvironments. This was observed after this group silently targeted an corporate\nenvironment for nine days before deploying dangerous blacksuite ransomware.", "modified": "2025-05-04T00:01:23.300000", "created": "2025-04-04T00:48:56.580000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee15ce9c628068fb99a180", "name": "DarkCloud Malware Targets Windows Devices", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not be published until the end of the year, but", "modified": "2025-05-03T04:00:22.115000", "created": "2025-04-03T04:59:58.329000", "tags": [ "ckloader", "sectoprat", "brute ratel", "cobalt strike", "qdoor" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 7, "hostname": 3, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 36 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "393 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebd3178ffaad1ed213c2e3", "name": "Fake Zoom Ends in BlackSuit Ransomware – The DFIR Report", "description": "A look back at some of the key moments in a cyber-attack that took place in May 2024 and led to BlackSuit ransomware being successfully executed across all Windows systems, including the entire Windows operating system.", "modified": "2025-05-01T11:03:54.851000", "created": "2025-04-01T11:50:47.731000", "tags": [ "cobalt strike", "qdoor", "winrar", "sectoprat", "brute ratel", "wmic", "badger", "rar archive", "psexec", "zoom", "download", "steam", "hijackloader", "unknown", "cobalt", "win64", "impact", "april", "metasploit", "sliver", "ransomware", "explorer", "powershell", "rest", "malicious", "ratel", "write", "execution", "shell", "nids", "blacksuit" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#indicators" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "NIDS", "display_name": "NIDS", "target": null }, { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "URL": 9, "domain": 3, "hostname": 3 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ea98de56c6392506302862", "name": "Apache Tomcat Vulnerability Actively Exploited to Carry out Remote Code Execution", "description": "", "modified": "2025-04-30T13:03:09.683000", "created": "2025-03-31T13:30:06.403000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ea99af04575f0c6ab56de1", "name": "Threat Actor Deploys Ransomware Through Fake Zoom Download", "description": "", "modified": "2025-04-30T13:03:09.683000", "created": "2025-03-31T13:33:35.859000", "tags": [ "ckloader", "sectoprat", "brute ratel", "cobalt strike", "qdoor" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9, "domain": 1, "hostname": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "395 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb482b729f8c69eeb3b70d", "name": "IOC - Fake Zoom Ends in BlackSuit Ransomware", "description": "", "modified": "2025-04-30T05:03:26.069000", "created": "2025-04-01T01:58:03.398000", "tags": [ "brute ratel", "cobalt strike", "sectoprat", "proxy", "lateral movement", "exfiltration", "blacksuit", "d3f@ckloader", "ransomware", "qdoor" ], "references": [ "https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackSuit", "display_name": "BlackSuit", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Brute Ratel", "display_name": "Brute Ratel", "target": null }, { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null }, { "id": "QDoor", "display_name": "QDoor", "target": null }, { "id": "d3f@ckloader", "display_name": "d3f@ckloader", "target": null } ], "attack_ids": [ { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1087.001", "name": "Local Account", "display_name": "T1087.001 - Local Account" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1482", "name": "Domain Trust Discovery", "display_name": "T1482 - Domain Trust Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1069.001", "name": "Local Groups", "display_name": "T1069.001 - Local Groups" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1218.010", "name": "Regsvr32", "display_name": "T1218.010 - Regsvr32" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": "67ea2ad332f874a45a095bed", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 13, "URL": 5, "domain": 1, "hostname": 1 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "396 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bb2c82f6d5abd9d68f1e47", "name": "Blacksuite Ransomware", "description": "Blacksuite Ransomware; last update : 27/08/2024", "modified": "2024-09-26T10:02:17.150000", "created": "2024-08-13T09:50:58.558000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IndoOpenThreatXchange", "id": "286483", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_286483/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 65, "FileHash-SHA256": 32, "URL": 11, "domain": 22, "hostname": 5, "FileHash-MD5": 5, "FileHash-SHA1": 5 }, "indicator_count": 145, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "megupdate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "megupdate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780226043.7727213 }