{ "type": "Domain", "indicator": "moralis-api-v3.cloud", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/moralis-api-v3.cloud", "alexa": "http://www.alexa.com/siteinfo/moralis-api-v3.cloud", "indicator": "moralis-api-v3.cloud", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4067084610, "indicator": "moralis-api-v3.cloud", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6820301bf40ecf6cb4a38f38", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new Stealer modules for credential theft, improved virtual environment detection, and modified clipboard stealing methods. The malware now targets various file types, including those related to cryptocurrencies, and has sophisticated methods for stealing browser credentials. The continuous updates to OtterCookie demonstrate WaterPlum's active development efforts, posing an ongoing threat to financial institutions and cryptocurrency operators worldwide.", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-11T05:05:31.267000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386647, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d949f6b867405ed38192", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:37.949000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d95685592ea0f8484ced", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:49.984000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6822c9c1ff97cbeb534e965d", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-13T04:25:37.044000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6824456968bc22b5832d4209", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-14T07:25:29.342000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ab285563f035283076acc", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-19T04:24:37.887000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681fb0a920db0a60817f753c", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-09T20:02:22.586000", "created": "2025-05-10T20:01:45.064000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681de4f2c62ec9577ad29661", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-08T11:02:48.130000", "created": "2025-05-09T11:20:18.509000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ahyka123", "id": "254370", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie", "Aug1.pdf", "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "related": { "alienvault": { "adversary": [ "WageMole" ], "malware_families": [ "Ottercookie", "Beavertail", "Invisibleferret" ], "industries": [ "Finance", "Technology" ] }, "other": { "adversary": [ "WaterPlum", "Multiple" ], "malware_families": [ "\u2019m", "Beavertail", "Contagious interview", "Invisibleferret", "Ottercookie" ], "industries": [ "Finance", "Technology", "Cryptocurrency", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6820301bf40ecf6cb4a38f38", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new Stealer modules for credential theft, improved virtual environment detection, and modified clipboard stealing methods. The malware now targets various file types, including those related to cryptocurrencies, and has sophisticated methods for stealing browser credentials. The continuous updates to OtterCookie demonstrate WaterPlum's active development efforts, posing an ongoing threat to financial institutions and cryptocurrency operators worldwide.", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-11T05:05:31.267000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WageMole", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 386647, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d949f6b867405ed38192", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:37.949000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6821d95685592ea0f8484ced", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "", "modified": "2025-06-11T11:02:57.911000", "created": "2025-05-12T11:19:49.984000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "354 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6822c9c1ff97cbeb534e965d", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-13T04:25:37.044000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6824456968bc22b5832d4209", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-14T07:25:29.342000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ab285563f035283076acc", "name": "Additional Features of OtterCookie Malware Used by WaterPlum", "description": "", "modified": "2025-06-10T05:00:59.745000", "created": "2025-05-19T04:24:37.887000", "tags": [ "invisibleferret", "stealer", "windows", "cryptocurrency", "credential theft", "macos", "financial institutions", "north korea", "ottercookie", "beavertail" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "WaterPlum", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "OtterCookie", "display_name": "OtterCookie", "target": null }, { "id": "BeaverTail", "display_name": "BeaverTail", "target": null }, { "id": "InvisibleFerret", "display_name": "InvisibleFerret", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" } ], "industries": [ "Finance", "Technology" ], "TLP": "white", "cloned_from": "6820301bf40ecf6cb4a38f38", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681fb0a920db0a60817f753c", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-09T20:02:22.586000", "created": "2025-05-10T20:01:45.064000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 213, "modified_text": "356 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681de4f2c62ec9577ad29661", "name": "Additional Features of OtterCookie Malware Used by WaterPlum | NTT\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c6\u30af\u30cb\u30ab\u30eb\u30d6\u30ed\u30b0", "description": "The latest version of the OtterCookie malware used by WaterPlum, a North Korean-linked cyber-attack group, has been released by the Japanese National Security Agency (NSJ).", "modified": "2025-06-08T11:02:48.130000", "created": "2025-05-09T11:20:18.509000", "tags": [ "strong", "ottercookie", "waterplum", "google chrome", "login data", "download", "main module", "stealer module", "masaya motoda", "rintaro koike", "february", "april", "macos", "beavertail", "invisibleferret", "stealer", "accept", "contagious interview" ], "references": [ "https://jp.security.ntt/tech_blog/en-waterplum-ottercookie" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Democratic People's Republic of", "Japan", "Singapore" ], "malware_families": [ { "id": "Contagious Interview", "display_name": "Contagious Interview", "target": null }, { "id": "OtterCookie", "display_name": "OtterCookie", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Financial", "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ahyka123", "id": "254370", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "moralis-api-v3.cloud", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "moralis-api-v3.cloud", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780306982.0083492 }