{ "type": "Domain", "indicator": "meta-captcha.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/meta-captcha.com", "alexa": "http://www.alexa.com/siteinfo/meta-captcha.com", "indicator": "meta-captcha.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4103580806, "indicator": "meta-captcha.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 386978, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890294672c3c1090b7ee518", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials [by AustinBH]", "description": "", "modified": "2025-08-04T03:30:14.271000", "created": "2025-08-04T03:30:14.271000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6883f17d9b858a83aab3fc68", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "302 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688afc88c59a808ba42608ed", "name": "Malware Filter - Phishing List - 30-07-2025", "description": "", "modified": "2025-07-31T05:18:00.071000", "created": "2025-07-31T05:18:00.071000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 17821, "domain": 4278 }, "indicator_count": 22099, "is_author": false, "is_subscribing": null, "subscriber_count": 1630, "modified_text": "306 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68857ed45c30c4d2e2faad3a", "name": "Malware Filter - Phishing List - 26-07-2025", "description": "", "modified": "2025-07-27T01:20:20.560000", "created": "2025-07-27T01:20:20.560000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 131, "hostname": 323 }, "indicator_count": 454, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "311 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6883f17d9b858a83aab3fc68", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials", "description": "", "modified": "2025-07-25T21:05:01.895000", "created": "2025-07-25T21:05:01.895000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "312 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt", "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt", "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 386978, "modified_text": "219 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6890294672c3c1090b7ee518", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials [by AustinBH]", "description": "", "modified": "2025-08-04T03:30:14.271000", "created": "2025-08-04T03:30:14.271000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6883f17d9b858a83aab3fc68", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "302 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688afc88c59a808ba42608ed", "name": "Malware Filter - Phishing List - 30-07-2025", "description": "", "modified": "2025-07-31T05:18:00.071000", "created": "2025-07-31T05:18:00.071000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 17821, "domain": 4278 }, "indicator_count": 22099, "is_author": false, "is_subscribing": null, "subscriber_count": 1630, "modified_text": "306 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68857ed45c30c4d2e2faad3a", "name": "Malware Filter - Phishing List - 26-07-2025", "description": "", "modified": "2025-07-27T01:20:20.560000", "created": "2025-07-27T01:20:20.560000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 131, "hostname": 323 }, "indicator_count": 454, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "311 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6883f17d9b858a83aab3fc68", "name": "Phishing Attack Spoofs Facebook Login Page to Capture Credentials", "description": "", "modified": "2025-07-25T21:05:01.895000", "created": "2025-07-25T21:05:01.895000", "tags": [ "july", "cyber security", "aman mishra", "facebook login", "google forms", "facebook", "bitb", "security", "checklist", "fake error", "red ransomware", "twitter", "june", "beware", "friday", "phishing", "teamviewer" ], "references": [ "https://gbhackers.com/phishing-attack-spoofs-facebook-login-page/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "312 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "meta-captcha.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "meta-captcha.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780450078.3032985 }