{ "type": "Domain", "indicator": "monoo3at.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/monoo3at.com", "alexa": "http://www.alexa.com/siteinfo/monoo3at.com", "indicator": "monoo3at.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3753611728, "indicator": "monoo3at.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 24, "pulses": [ { "id": "6504b1daa3ab2929aab9745a", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader", "description": "A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex.", "modified": "2023-10-15T19:02:22.348000", "created": "2023-09-15T19:34:49.393000", "tags": [ "webex", "batloader", "ad campaign", "mexico", "google ads", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Batloader", "display_name": "Batloader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 374, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 4 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "958 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503d7178561b166376e753c", "name": "Fake Cisco Webex Google Ads Push Malware", "description": "", "modified": "2024-08-30T06:04:45.782000", "created": "2023-09-15T04:01:27.988000", "tags": [ "webex", "google", "batloader", "urls", "cisco", "google search", "ad campaign", "webex logo", "mexico", "google ads", "virustotal", "nebula", "powershell", "python", "danabot", "group", "please", "team", "proofpoint", "eset research", "push", "cisa", "crowdstrike", "red dev", "dennis", "malware", "redline stealer", "trojan", "zloader", "evolution", "netwire rc", "jackal", "agent tesla", "twitter", "ave maria", "oilrig", "mask", "machete", "panda", "back", "nullmixer", "privateloader", "mars stealer", "ytstealer", "defense", "cobalt strike", "miner", "zeus", "mount locker", "quasar rat", "ransomware", "trickbot", "nanocore rat", "defensor id", "ctb locker", "wannacryptor", "stealer", "predator", "tiger", "attack", "download", "ixeshe", "aluminum", "msupdater", "nettraveler", "keyboy", "sednit", "sofacy", "oceanlotus", "holmium", "scarcruft", "venus", "sykipot", "leviathan", "amoeba", "hoodoo", "dragon", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "icefog", "trident", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "carbanak", "gcman", "ghostnet", "bitter", "infy", "karakurt", "kinsing", "mercury", "naikon", "nitro", "strongpity", "powerpool", "indra", "sauron", "sidewinder", "redalpha", "mantis", "rocke", "mimic", "silence", "guardian", "teamspy", "teamtnt", "teamxrat", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark", "unit", "threat response", "pla unit", "change", "intel", "ursnif", "tools", "jason", "vidar", "green", "hive", "stealth mango" ], "references": [ "September 15th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3249 - Fake Cisco Webex Google Ads Push Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 120, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 31, "domain": 33, "FileHash-SHA1": 1, "YARA": 1, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6514b918026080b9276b9466", "name": "InQuest - 27-09-2023", "description": "", "modified": "2023-10-27T23:02:12.121000", "created": "2023-09-27T23:22:00.827000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 390, "URL": 2202, "hostname": 283, "domain": 245, "FileHash-MD5": 101, "FileHash-SHA1": 135 }, "indicator_count": 3356, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65136801b819947835b4c635", "name": "InQuest - 26-09-2023", "description": "", "modified": "2023-10-26T23:03:16.623000", "created": "2023-09-26T23:23:45.591000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 385, "URL": 2202, "hostname": 280, "domain": 257, "FileHash-MD5": 123, "FileHash-SHA1": 135 }, "indicator_count": 3382, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6512166a08be3ef9b1320926", "name": "InQuest - 25-09-2023", "description": "", "modified": "2023-10-25T23:01:26.288000", "created": "2023-09-25T23:23:22.974000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 112, "URL": 2218, "hostname": 270, "domain": 245, "FileHash-SHA256": 377, "FileHash-SHA1": 135 }, "indicator_count": 3357, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510c4f1547dd8f6adb7b99e", "name": "InQuest - 24-09-2023", "description": "", "modified": "2023-10-24T23:02:23.686000", "created": "2023-09-24T23:23:29.606000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 108, "domain": 226, "URL": 2159, "hostname": 262, "FileHash-SHA256": 464, "FileHash-SHA1": 135 }, "indicator_count": 3354, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "949 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650f744696a92abadc244360", "name": "InQuest - 23-09-2023", "description": "", "modified": "2023-10-23T23:04:57.873000", "created": "2023-09-23T23:27:02.068000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 505, "FileHash-MD5": 106, "hostname": 260, "URL": 2120, "domain": 216, "FileHash-SHA1": 135 }, "indicator_count": 3342, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "950 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650e23a7e388741f9cc337da", "name": "InQuest - 22-09-2023", "description": "", "modified": "2023-10-22T23:02:24.444000", "created": "2023-09-22T23:30:47.363000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 567, "FileHash-MD5": 105, "domain": 197, "URL": 2072, "hostname": 252, "FileHash-SHA1": 135 }, "indicator_count": 3328, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "951 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650cd0f6fb1cf9d2f00afa97", "name": "InQuest - 21-09-2023", "description": "", "modified": "2023-10-21T23:02:19.178000", "created": "2023-09-21T23:25:42.338000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 614, "FileHash-MD5": 87, "URL": 2018, "hostname": 246, "domain": 187, "FileHash-SHA1": 136 }, "indicator_count": 3288, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "952 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650b809877a79d4c6310b9b5", "name": "InQuest - 20-09-2023", "description": "", "modified": "2023-10-20T23:05:32.619000", "created": "2023-09-20T23:30:32.993000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 577, "FileHash-MD5": 85, "hostname": 246, "URL": 1982, "domain": 176, "FileHash-SHA1": 203 }, "indicator_count": 3269, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "953 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650a2f3e7daf7a8ac8e9d59c", "name": "InQuest - 19-09-2023", "description": "", "modified": "2023-10-19T23:00:47.834000", "created": "2023-09-19T23:31:10.598000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1994, "domain": 172, "hostname": 245, "FileHash-SHA256": 557, "FileHash-MD5": 82, "FileHash-SHA1": 203 }, "indicator_count": 3253, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "954 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6508dde4b872cc0a34fb85f6", "name": "InQuest - 18-09-2023", "description": "", "modified": "2023-10-18T23:03:17.365000", "created": "2023-09-18T23:31:48.978000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1992, "hostname": 248, "domain": 172, "FileHash-SHA256": 557, "FileHash-MD5": 82, "FileHash-SHA1": 203 }, "indicator_count": 3254, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "955 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65078d43297d9c8b2abca6ec", "name": "InQuest - 17-09-2023", "description": "", "modified": "2023-10-17T23:02:31.526000", "created": "2023-09-17T23:35:31.062000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 85, "FileHash-SHA256": 555, "URL": 1978, "domain": 165, "FileHash-SHA1": 203, "hostname": 259 }, "indicator_count": 3245, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "956 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650639f989cbbde5dc4ce00b", "name": "InQuest - 16-09-2023", "description": "", "modified": "2023-10-16T23:01:54.459000", "created": "2023-09-16T23:27:53.233000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 95, "URL": 1962, "FileHash-SHA256": 554, "FileHash-SHA1": 203, "hostname": 265, "domain": 156 }, "indicator_count": 3235, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "957 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6504e8e53b3763f429c2fe01", "name": "InQuest - 15-09-2023", "description": "", "modified": "2023-10-15T23:05:46.759000", "created": "2023-09-15T23:29:41.694000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 494, "FileHash-MD5": 112, "hostname": 287, "URL": 2112, "domain": 211, "FileHash-SHA1": 200 }, "indicator_count": 3416, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "958 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6506b95dd2f4d877b27d697a", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader ", "description": "", "modified": "2023-10-15T19:02:22.348000", "created": "2023-09-17T08:31:25.972000", "tags": [ "webex", "batloader", "ad campaign", "mexico", "google ads", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Batloader", "display_name": "Batloader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "6504b1daa3ab2929aab9745a", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 4 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "958 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503986036a14055d1beb99b", "name": "InQuest - 14-09-2023", "description": "", "modified": "2023-10-14T23:02:24.337000", "created": "2023-09-14T23:33:52.751000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 442, "FileHash-MD5": 112, "URL": 2054, "domain": 202, "hostname": 284, "FileHash-SHA1": 202 }, "indicator_count": 3296, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "959 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6502c8c15369bfdc0f92bdd0", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader", "description": "Malwarebytes is a leading anti-virus company that provides a comprehensive service for businesses, individuals and individuals to check their computer systems before they fall victim to a malicious attack. \u00c2", "modified": "2023-10-14T08:01:23.789000", "created": "2023-09-14T08:48:01.653000", "tags": [ "webex", "google", "batloader", "urls", "cisco", "google search", "ad campaign", "webex logo", "mexico", "google ads", "virustotal", "nebula", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "960 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65036714fc39cccbf5490002", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader (by mxdrthreat)", "description": "", "modified": "2023-10-14T08:01:23.789000", "created": "2023-09-14T20:03:32.680000", "tags": [ "webex", "google", "batloader", "urls", "cisco", "google search", "ad campaign", "webex logo", "mexico", "google ads", "virustotal", "nebula", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "650353ac472119e600839f7c", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650353ac472119e600839f7c", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader", "description": "", "modified": "2023-10-14T08:01:23.789000", "created": "2023-09-14T18:40:44.752000", "tags": [ "webex", "google", "batloader", "urls", "cisco", "google search", "ad campaign", "webex logo", "mexico", "google ads", "virustotal", "nebula", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": "6502c8c15369bfdc0f92bdd0", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mxdrthreat", "id": "230035", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 1, "domain": 4 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "960 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "September 15th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3249 - Fake Cisco Webex Google Ads Push Malware.pdf", "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader", "https://labs.inquest.net/iocdb" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Batloader" ], "industries": [] }, "other": { "adversary": [ "El Machete, TAG-100, Mirage, Unamed_Grooup", "El Machete" ], "malware_families": [ "Batloader", "Ursnif" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 24, "pulses": [ { "id": "6504b1daa3ab2929aab9745a", "name": "PSA: Ongoing Webex malvertising campaign drops BatLoader", "description": "A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex.", "modified": "2023-10-15T19:02:22.348000", "created": "2023-09-15T19:34:49.393000", "tags": [ "webex", "batloader", "ad campaign", "mexico", "google ads", "powershell", "python", "danabot" ], "references": [ "https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex-malvertising-drops-batloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Batloader", "display_name": "Batloader", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 374, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "domain": 4 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386545, "modified_text": "958 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff12aea0b9ba91d923da14", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:15:10.602000", "created": "2025-04-16T02:15:10.602000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff1245d4dc2a56e5561a57", "name": "Threat Actor Profile: El Machete", "description": "# El Machete - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nEl Machete is a cyber espionage group primarily targeting Spanish-speaking nations. It has been active since at least 2014 and is known for its sophisticated malware and data exfiltration tactics. The group focuses on high-profile targets and is noted for its targeted spear-phishing campaigns.\n\n## Techniques\n* T1497\n* T1114\n* T1566.001\n* T1059.003\n* T1081\n* ... y 92 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Servicios p\u00fablicos\n* Seguridad nacional y asuntos internacionales\n* Telecomunicaciones\n* Servicios educativos\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* Venezuela\n* Italia\n* Colombia\n* Ecuador\n* ... y 28 m\u00e1s", "modified": "2025-04-16T02:13:25.801000", "created": "2025-04-16T02:13:25.801000", "tags": [ "threat_actor", "unknown", "T1497", "T1114", "T1566.001", "T1059.003", "T1081", "T1059.006", "T1059", "T1566.002", "T1082", "T1027", "T1071.001", "T1566", "T1041", "T1105", "T1204.001", "T1049", "T1055", "T1036", "T1503", "T1114.001", "T1053", "T1140", "T1012", "T1071", "T1112", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1021", "T1011", "T1060", "T1539", "T1587", "T1087", "T1095", "T1102", "T1070", "T1130", "T1552", "T1106", "T1190", "T1007", "T1133", "T1090", "T1016", "T1137", "T1119", "T1124", "T1005", "T1059.001", "T1115", "T1562.001", "T1543", "T1078", "T1083", "T1530", "T1085", "T1003", "T1120", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1571", "T1204.002", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "T1132", "T1562", "T1110", "T1059.005", "T1218.007", "T1204", "T1550", "T1136", "T1555", "T1176", "T1204_-_User_Execution", "T1566_-_Phishing", "T1561", "T1583", "T1485", "T1127", "T1595", "T1573", "T1189", "T1486", "T1531", "T1529", "T1053.005", "T1047.", "target:Dominican Republic", "target:Venezuela", "target:Italy", "target:Colombia", "target:Ecuador", "target:Guatemala", "target:Belgium", "target:Malaysia", "target:Brazil", "target:France", "target:Indonesia", "target:United Kingdom", "target:China", "target:Germany", "target:Mexico", "target:Argentina", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States", "target:Sweden", "target:Ukraine", "target:South Korea", "target:Nicaragua", "target:Canada", "target:Russia", "target:otros" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 9, "hostname": 18, "domain": 59 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "410 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6773390f17d71879c414676a", "name": "El Machete", "description": "El Machete es un grupo de ciberespionaje activo desde al menos 2014, enfocado en atacar principalmente a naciones de habla hispana. Este grupo es conocido por su sofisticada malware y t\u00e1cticas de exfiltraci\u00f3n de datos, con un enfoque en objetivos de alto perfil, como agencias gubernamentales y organizaciones estrat\u00e9gicas.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:21:35.813000", "tags": [ "cve201711882", "cve20201472", "El Machete" ], "references": [], "public": 1, "adversary": "El Machete", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 473, "FileHash-SHA1": 471, "FileHash-SHA256": 500, "CVE": 9, "domain": 60, "hostname": 18 }, "indicator_count": 1531, "is_author": false, "is_subscribing": null, "subscriber_count": 60, "modified_text": "486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6503d7178561b166376e753c", "name": "Fake Cisco Webex Google Ads Push Malware", "description": "", "modified": "2024-08-30T06:04:45.782000", "created": "2023-09-15T04:01:27.988000", "tags": [ "webex", "google", "batloader", "urls", "cisco", "google search", "ad campaign", "webex logo", "mexico", "google ads", "virustotal", "nebula", "powershell", "python", "danabot", "group", "please", "team", "proofpoint", "eset research", "push", "cisa", "crowdstrike", "red dev", "dennis", "malware", "redline stealer", "trojan", "zloader", "evolution", "netwire rc", "jackal", "agent tesla", "twitter", "ave maria", "oilrig", "mask", "machete", "panda", "back", "nullmixer", "privateloader", "mars stealer", "ytstealer", "defense", "cobalt strike", "miner", "zeus", "mount locker", "quasar rat", "ransomware", "trickbot", "nanocore rat", "defensor id", "ctb locker", "wannacryptor", "stealer", "predator", "tiger", "attack", "download", "ixeshe", "aluminum", "msupdater", "nettraveler", "keyboy", "sednit", "sofacy", "oceanlotus", "holmium", "scarcruft", "venus", "sykipot", "leviathan", "amoeba", "hoodoo", "dragon", "star", "matanbuchus", "comnie", "termite", "emdivi", "greenbug", "careto", "cobalt", "cyber", "icefog", "trident", "dnspionage", "darkhotel", "luder", "nemim", "tapaoux", "pioneer", "havex", "evilnum", "carbanak", "gcman", "ghostnet", "bitter", "infy", "karakurt", "kinsing", "mercury", "naikon", "nitro", "strongpity", "powerpool", "indra", "sauron", "sidewinder", "redalpha", "mantis", "rocke", "mimic", "silence", "guardian", "teamspy", "teamtnt", "teamxrat", "turla", "snake", "wraith", "pfinet", "krypton", "zoopark", "unit", "threat response", "pla unit", "change", "intel", "ursnif", "tools", "jason", "vidar", "green", "hive", "stealth mango" ], "references": [ "September 15th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #3249 - Fake Cisco Webex Google Ads Push Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ursnif", "display_name": "Ursnif", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 120, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2, "URL": 31, "domain": 33, "FileHash-SHA1": 1, "YARA": 1, "hostname": 3 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6514b918026080b9276b9466", "name": "InQuest - 27-09-2023", "description": "", "modified": "2023-10-27T23:02:12.121000", "created": "2023-09-27T23:22:00.827000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 390, "URL": 2202, "hostname": 283, "domain": 245, "FileHash-MD5": 101, "FileHash-SHA1": 135 }, "indicator_count": 3356, "is_author": false, "is_subscribing": null, "subscriber_count": 1626, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65136801b819947835b4c635", "name": "InQuest - 26-09-2023", "description": "", "modified": "2023-10-26T23:03:16.623000", "created": "2023-09-26T23:23:45.591000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 385, "URL": 2202, "hostname": 280, "domain": 257, "FileHash-MD5": 123, "FileHash-SHA1": 135 }, "indicator_count": 3382, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6512166a08be3ef9b1320926", "name": "InQuest - 25-09-2023", "description": "", "modified": "2023-10-25T23:01:26.288000", "created": "2023-09-25T23:23:22.974000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 112, "URL": 2218, "hostname": 270, "domain": 245, "FileHash-SHA256": 377, "FileHash-SHA1": 135 }, "indicator_count": 3357, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6510c4f1547dd8f6adb7b99e", "name": "InQuest - 24-09-2023", "description": "", "modified": "2023-10-24T23:02:23.686000", "created": "2023-09-24T23:23:29.606000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 108, "domain": 226, "URL": 2159, "hostname": 262, "FileHash-SHA256": 464, "FileHash-SHA1": 135 }, "indicator_count": 3354, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "949 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "monoo3at.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "monoo3at.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242214.588486 }