{ "type": "Domain", "indicator": "messi.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/messi.com", "alexa": "http://www.alexa.com/siteinfo/messi.com", "indicator": "messi.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3849658756, "indicator": "messi.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "687f4b4cfd8643f70fc2c85c", "name": "?\u00bf?\u00bf?", "description": "", "modified": "2025-08-21T08:03:34.998000", "created": "2025-07-22T08:26:52.598000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses otx", "pulses", "virustotal", "server", "date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "port", "destination", "medium", "regopenkeyexw", "windows", "windows server", "win32", "show", "search", "module load", "dock", "unknown", "delphi", "observer", "stream", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 119, "hostname": 905, "URL": 675, "email": 1, "FileHash-SHA256": 873, "FileHash-MD5": 83, "FileHash-SHA1": 80, "SSLCertFingerprint": 2 }, "indicator_count": 2738, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628fda86b927254e8339e26", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining - Avast Threat Labs", "description": "The GuptiMiner malware is a highly sophisticated threat that hijacks antivirus updates to distribute backdoors and coinminers, Avast has discovered and analyzed. in its analysis.", "modified": "2024-05-24T12:02:06.013000", "created": "2024-04-24T12:40:08.699000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 8, "domain": 10 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628e0114b76d53b1314a856", "name": "Hackers hijack antivirus updates to drop GuptiMiner malware", "description": "North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. Researchers describe GuptiMiner as \"a highly sophisticated threat\" that can perform DNS requests to the attacker's DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.", "modified": "2024-05-24T10:00:29.863000", "created": "2024-04-24T10:33:53.726000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 332, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628cd01dc7388f7fe881212", "name": "CERT-UA", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-24T09:12:33.549000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662f2acd77f2b5b89a0aeb50", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-29T05:06:21.569000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6628cd01dc7388f7fe881212", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b209f4550b92383fbefad", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-05-08T06:50:07.715000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "662f2acd77f2b5b89a0aeb50", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cert.gov.ua/article/6278706", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DNS" ], "malware_families": [ "Kimsuky", "Homuwitch", "Utc", "Guptiminer", "Lazarus", "Modular" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "687f4b4cfd8643f70fc2c85c", "name": "?\u00bf?\u00bf?", "description": "", "modified": "2025-08-21T08:03:34.998000", "created": "2025-07-22T08:26:52.598000", "tags": [ "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses otx", "pulses", "virustotal", "server", "date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "port", "destination", "medium", "regopenkeyexw", "windows", "windows server", "win32", "show", "search", "module load", "dock", "unknown", "delphi", "observer", "stream", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 119, "hostname": 905, "URL": 675, "email": 1, "FileHash-SHA256": 873, "FileHash-MD5": 83, "FileHash-SHA1": 80, "SSLCertFingerprint": 2 }, "indicator_count": 2738, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628fda86b927254e8339e26", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining - Avast Threat Labs", "description": "The GuptiMiner malware is a highly sophisticated threat that hijacks antivirus updates to distribute backdoors and coinminers, Avast has discovered and analyzed. in its analysis.", "modified": "2024-05-24T12:02:06.013000", "created": "2024-04-24T12:40:08.699000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 49, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 8, "domain": 10 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628e0114b76d53b1314a856", "name": "Hackers hijack antivirus updates to drop GuptiMiner malware", "description": "North Korean hackers have been exploiting the updating mechanism of the eScan antivirus to plant backdoors on big corporate networks and deliver cryptocurrency miners through GuptiMiner malware. Researchers describe GuptiMiner as \"a highly sophisticated threat\" that can perform DNS requests to the attacker's DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.", "modified": "2024-05-24T10:00:29.863000", "created": "2024-04-24T10:33:53.726000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode", "dns", "utc", "lazarus", "homuwitch", "modular" ], "references": [ "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/", "https://www.bleepingcomputer.com/news/security/hackers-hijack-antivirus-updates-to-drop-guptiminer-malware/" ], "public": 1, "adversary": "DNS", "targeted_countries": [], "malware_families": [ { "id": "UTC", "display_name": "UTC", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "HomuWitch", "display_name": "HomuWitch", "target": null }, { "id": "Modular", "display_name": "Modular", "target": null }, { "id": "GuptiMiner", "display_name": "GuptiMiner", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 332, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6628cd01dc7388f7fe881212", "name": "CERT-UA", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-24T09:12:33.549000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluenumberone", "id": "246058", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "CVE": 1, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "662f2acd77f2b5b89a0aeb50", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-04-29T05:06:21.569000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6628cd01dc7388f7fe881212", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663b209f4550b92383fbefad", "name": "GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining", "description": "", "modified": "2024-05-24T09:03:46.136000", "created": "2024-05-08T06:50:07.715000", "tags": [ "guptiminer", "puppeteer", "dns txt", "stage", "png file", "dns server", "ip address", "kimsuky", "windows", "iocs", "xmrig", "loader", "evolution", "manipulation", "shutdown", "defender", "antivm", "teamviewer", "june", "first", "winnti", "shellcode" ], "references": [ "https://cert.gov.ua/article/6278706", "https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-for-distributing-backdoors-and-casual-mining/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "662f2acd77f2b5b89a0aeb50", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 42, "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 26, "URL": 6, "domain": 10 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "740 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "messi.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "messi.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780485725.0613585 }