{ "type": "Domain", "indicator": "mkluk.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mkluk.com", "alexa": "http://www.alexa.com/siteinfo/mkluk.com", "indicator": "mkluk.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3855416221, "indicator": "mkluk.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69d5f56a5f13dc6c5bd93c0e", "name": "WIN EXE. Run Sandboxed", "description": "The full text of the report on the Google server, published on 1 January 2018, has been published online by the internet service provider, ICann.com, for the first time in its history.", "modified": "2026-05-08T07:38:32.166000", "created": "2026-04-08T06:27:54.699000", "tags": [ "win32", "as15169 google", "united", "status", "mtb jan", "mtb mar", "mtb feb", "name servers", "aaaa", "passive dns", "date", "trojan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 283, "FileHash-SHA1": 279, "FileHash-SHA256": 620, "email": 6, "URL": 353, "domain": 198, "hostname": 287, "CVE": 16 }, "indicator_count": 2042, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff6bf46f5d8662048ca7a1", "name": "symcd.com \u2022 Netify.ai", "description": "Seen in multiple attacks including CrowdStrike\nincident that was truly a breach found and reported prior to outage. SYCMD..com\nis consistently removed / deleted from pulses.\n\nI have nothing to say. OTX will pulse this let\u2019s see if anything happens..\n#rootkit? #ai #netify #malware #running_webserver #ottowa #elf #agent #malware #known #network_icmp #nolookup_communication\nantivm_generic_disk #dead host\n#dumped_buffer\n#network_cnc_http\n#network_http\n#allocates_rwx\n#av_detect_china_key #m\n[ELF:Agent-VW\\ [Trj]]\nIDS Detections :\n*GoBrut Service Bruter CnC Activity \n*GoBrut Service Bruter CnC Checkin \n*Generic.Go.Bruteforcer CnC Beacon\neval String.fromCharCode String Which May Be #malicious\nYara Detections:\ncompromised_site_redirector_fromcharcode\nfromCharCode | Yara Detections:\nKnownMaliciousObfuscationPattern\n[External IP Address Lookup via api .ip138 .com]\n[Win.Malware.Softcnapp-6932830-0]\nMultiple malware attack.", "modified": "2025-11-26T12:00:39.551000", "created": "2025-10-27T12:56:20.090000", "tags": [ "present may", "present jun", "name servers", "united", "status", "present aug", "present oct", "present jul", "present mar", "present nov", "date", "digicert", "whois", "forums", "symantec", "comcast", "levelblue", "open threat", "pulse", "urls", "as13335", "info", "server", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "us registrant", "email", "contact email", "host name", "handle", "rdap database", "iana registrar", "present sep", "canada unknown", "moved", "ip address", "search", "title", "encrypt", "ubuntu", "linux x8664", "gobrut service", "bruter cnc", "entries", "show", "activity", "stca", "unknown", "malware", "copy", "next", "team", "script urls", "a domains", "passive dns", "gmt server", "content type", "body", "meta", "for privacy", "creation date", "name redacted", "expiration date", "servers", "hostname add", "pulse pulses", "13371", "qq v", "process32nextw", "regopenkeyexw", "medium", "langchinese", "get na", "rticon", "security", "high", "win32", "write", "dynamicloader", "checks", "alerts", "bios", "dynamic", "total", "read", "delete", "name strings", "south korea" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Bulgaria", "Germany", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3301, "email": 9, "hostname": 1202, "FileHash-SHA256": 1967, "domain": 1885, "FileHash-MD5": 153, "FileHash-SHA1": 151, "CVE": 1, "SSLCertFingerprint": 82, "FilePath": 1 }, "indicator_count": 8752, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69d5f56a5f13dc6c5bd93c0e", "name": "WIN EXE. Run Sandboxed", "description": "The full text of the report on the Google server, published on 1 January 2018, has been published online by the internet service provider, ICann.com, for the first time in its history.", "modified": "2026-05-08T07:38:32.166000", "created": "2026-04-08T06:27:54.699000", "tags": [ "win32", "as15169 google", "united", "status", "mtb jan", "mtb mar", "mtb feb", "name servers", "aaaa", "passive dns", "date", "trojan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 283, "FileHash-SHA1": 279, "FileHash-SHA256": 620, "email": 6, "URL": 353, "domain": 198, "hostname": 287, "CVE": 16 }, "indicator_count": 2042, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ff6bf46f5d8662048ca7a1", "name": "symcd.com \u2022 Netify.ai", "description": "Seen in multiple attacks including CrowdStrike\nincident that was truly a breach found and reported prior to outage. SYCMD..com\nis consistently removed / deleted from pulses.\n\nI have nothing to say. OTX will pulse this let\u2019s see if anything happens..\n#rootkit? #ai #netify #malware #running_webserver #ottowa #elf #agent #malware #known #network_icmp #nolookup_communication\nantivm_generic_disk #dead host\n#dumped_buffer\n#network_cnc_http\n#network_http\n#allocates_rwx\n#av_detect_china_key #m\n[ELF:Agent-VW\\ [Trj]]\nIDS Detections :\n*GoBrut Service Bruter CnC Activity \n*GoBrut Service Bruter CnC Checkin \n*Generic.Go.Bruteforcer CnC Beacon\neval String.fromCharCode String Which May Be #malicious\nYara Detections:\ncompromised_site_redirector_fromcharcode\nfromCharCode | Yara Detections:\nKnownMaliciousObfuscationPattern\n[External IP Address Lookup via api .ip138 .com]\n[Win.Malware.Softcnapp-6932830-0]\nMultiple malware attack.", "modified": "2025-11-26T12:00:39.551000", "created": "2025-10-27T12:56:20.090000", "tags": [ "present may", "present jun", "name servers", "united", "status", "present aug", "present oct", "present jul", "present mar", "present nov", "date", "digicert", "whois", "forums", "symantec", "comcast", "levelblue", "open threat", "pulse", "urls", "as13335", "info", "server", "domain status", "registrar abuse", "registrar", "dnssec", "domain name", "us registrant", "email", "contact email", "host name", "handle", "rdap database", "iana registrar", "present sep", "canada unknown", "moved", "ip address", "search", "title", "encrypt", "ubuntu", "linux x8664", "gobrut service", "bruter cnc", "entries", "show", "activity", "stca", "unknown", "malware", "copy", "next", "team", "script urls", "a domains", "passive dns", "gmt server", "content type", "body", "meta", "for privacy", "creation date", "name redacted", "expiration date", "servers", "hostname add", "pulse pulses", "13371", "qq v", "process32nextw", "regopenkeyexw", "medium", "langchinese", "get na", "rticon", "security", "high", "win32", "write", "dynamicloader", "checks", "alerts", "bios", "dynamic", "total", "read", "delete", "name strings", "south korea" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia", "Canada", "Bulgaria", "Germany", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3301, "email": 9, "hostname": 1202, "FileHash-SHA256": 1967, "domain": 1885, "FileHash-MD5": 153, "FileHash-SHA1": 151, "CVE": 1, "SSLCertFingerprint": 82, "FilePath": 1 }, "indicator_count": 8752, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mkluk.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mkluk.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780336988.022085 }