{ "type": "Domain", "indicator": "mrd0x.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mrd0x.com", "alexa": "http://www.alexa.com/siteinfo/mrd0x.com", "indicator": "mrd0x.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3263108094, "indicator": "mrd0x.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "67ad1528608f24b71bcea41b", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-12T21:39:52.146000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f4f48d37821bbe86d273e4", "name": "Google TI", "description": "", "modified": "2025-05-08T10:01:07.317000", "created": "2025-04-08T10:03:57.871000", "tags": [ "span", "code", "figure", "strong", "figcaption", "mandiant", "gemini", "tbody", "gtig", "google threat", "ukraine", "scatterbrain", "android", "spawnant", "python", "example", "turla", "info", "encrypt", "spawnmole", "rust", "spawnsloth", "test", "malware", "download", "installer", "spawnsnail", "telegram", "next", "service", "path", "protect", "poisonplug", "import", "powershell", "monitoring", "execution", "nirvana", "body", "august", "june", "ransomware", "conti", "virustotal", "loop", "middle", "comment", "first", "write", "darkgate", "core", "cluster", "april", "february", "spawn", "launch", "back", "impact", "andromeda", "swift", "alliance", "alphabet", "recon", "ruby", "shadow", "template", "donut", "asyncrat", "drop", "persistence", "click", "rogue", "tools", "stream", "responder", "slovakia", "gobrat", "grep", "term", "reptile", "medusa", "ghost", "crash", "compiler", "lost", "poolrat", "beyond", "chisel", "install", "defender", "belarus", "qilin", "school", "akira", "dcrat", "warzone", "smokeloader", "prestige", "eternalpetya", "notpetya", "blackenergy", "whispergate", "kopiluwak", "quietcanary", "darkside", "delta", "noescape", "ransomhouse", "kimsuky", "bitcoin", "tron", "elevate", "evolution", "format", "play", "rapid", "metasploit", "cobalt strike", "impacket", "outside", "tech", "mimikatz", "media", "shadowpad", "done", "loader", "zero", "push", "logic", "target", "mutation", "cold", "verify", "restrict", "trace", "false", "defense", "qakbot", "zipline", "lightwire", "warpwire", "launcher", "date", "strings", "internal", "macho" ], "references": [ "https://feeds.feedburner.com/threatintelligence/pvexyqv7v0v" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bxsolaaa", "id": "311398", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "CVE": 14, "FileHash-MD5": 31, "FileHash-SHA1": 20, "FileHash-SHA256": 30, "YARA": 3, "domain": 40, "hostname": 19 }, "indicator_count": 179, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2f13832155bc5dfad296d", "name": "FINALDRAFT Malware Abuses Outlook for C2 Communications", "description": "A newly discovered cyber espionage campaign has been linked to a threat group known as REF7707, which has been targeting government and academic institutions since November 2024. Researchers said the attackers infiltrated a foreign ministry in South America, along with a university and a telecom company in Southeast Asia, using advanced malware with remote access capabilities.", "modified": "2025-03-19T08:03:48.856000", "created": "2025-02-17T08:20:08.494000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af309efc6f5de1cd9ef928", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:01:34.802000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af3355478fdffe2019aa39", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:13:09.070000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67adc07895a547efedcbbf76", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-15T09:02:47.004000", "created": "2025-02-13T09:50:48.440000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2be450355dada78bd81ec", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-17T04:42:45.282000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": "67ad1528608f24b71bcea41b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix", "https://www.elastic.co/security-labs/fragile-web-ref7707", "https://feeds.feedburner.com/threatintelligence/pvexyqv7v0v", "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721", "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Finaldraft", "Pathloader", "Guiloader" ], "industries": [ "Government", "Telecommunications", "Education" ] }, "other": { "adversary": [], "malware_families": [ "Finaldraft", "Socghoulish", "Pathloader", "Filefix", "Kongtuke", "Guiloader", "C:\\\\windows\\\\system32\\\\net1", "Base64" ], "industries": [ "Government", "Telecommunications", "Foreign", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "67ad1528608f24b71bcea41b", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices.", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-12T21:39:52.146000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 386478, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac163718a6b7c8f0fb4478", "name": "FileFix The Evolved ClickFix.", "description": "In June 2025, the researcher known as MrD0x introduced a new variant of the ClickFix technique called FileFix, which enhances the initial access capabilities used by threat actors. Unlike traditional ClickFix attacks that utilize the Windows Run dialogue, FileFix capitalizes on the File Explorer address bar to execute commands, thereby circumventing detection methods that rely on Run dialogue interactions.\n\nClickFix originated in 2024 and has become a favoured method among various threat actors, including groups TA571 and TA569, as well as multiple initial access brokers. The technique relies heavily on social engineering, requiring users to manually execute malicious code following specific instructions provided on a web page. This direct user engagement is essential for the success of the attack, enabling perpetrators to gain access to targeted systems effectively.", "modified": "2025-09-24T07:05:04.439000", "created": "2025-08-25T07:52:23.112000", "tags": [ "filefix", "clickfix", "mrd0x", "file explorer", "kongtuke", "html code", "run dialogue", "windows run", "windows command", "june", "fakeupdates", "powershell", "clearfake", "execution", "malware", "mintsloader", "stealc", "akira", "rhysida", "monitoring", "apply", "base64", "socghoulish", "url https", "domain", "url http", "file name", "name", "ip address", "sha256", "indicator type", "userprofile", "sha256 http" ], "references": [ "https://www.bridewell.com/insights/blogs/detail/filefix-the-evolved-clickfix" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Base64", "display_name": "Base64", "target": null }, { "id": "KongTuke", "display_name": "KongTuke", "target": null }, { "id": "FileFix", "display_name": "FileFix", "target": null }, { "id": "SocGhoulish", "display_name": "SocGhoulish", "target": null } ], "attack_ids": [ { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "URL": 66, "domain": 45, "hostname": 3 }, "indicator_count": 126, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f4f48d37821bbe86d273e4", "name": "Google TI", "description": "", "modified": "2025-05-08T10:01:07.317000", "created": "2025-04-08T10:03:57.871000", "tags": [ "span", "code", "figure", "strong", "figcaption", "mandiant", "gemini", "tbody", "gtig", "google threat", "ukraine", "scatterbrain", "android", "spawnant", "python", "example", "turla", "info", "encrypt", "spawnmole", "rust", "spawnsloth", "test", "malware", "download", "installer", "spawnsnail", "telegram", "next", "service", "path", "protect", "poisonplug", "import", "powershell", "monitoring", "execution", "nirvana", "body", "august", "june", "ransomware", "conti", "virustotal", "loop", "middle", "comment", "first", "write", "darkgate", "core", "cluster", "april", "february", "spawn", "launch", "back", "impact", "andromeda", "swift", "alliance", "alphabet", "recon", "ruby", "shadow", "template", "donut", "asyncrat", "drop", "persistence", "click", "rogue", "tools", "stream", "responder", "slovakia", "gobrat", "grep", "term", "reptile", "medusa", "ghost", "crash", "compiler", "lost", "poolrat", "beyond", "chisel", "install", "defender", "belarus", "qilin", "school", "akira", "dcrat", "warzone", "smokeloader", "prestige", "eternalpetya", "notpetya", "blackenergy", "whispergate", "kopiluwak", "quietcanary", "darkside", "delta", "noescape", "ransomhouse", "kimsuky", "bitcoin", "tron", "elevate", "evolution", "format", "play", "rapid", "metasploit", "cobalt strike", "impacket", "outside", "tech", "mimikatz", "media", "shadowpad", "done", "loader", "zero", "push", "logic", "target", "mutation", "cold", "verify", "restrict", "trace", "false", "defense", "qakbot", "zipline", "lightwire", "warpwire", "launcher", "date", "strings", "internal", "macho" ], "references": [ "https://feeds.feedburner.com/threatintelligence/pvexyqv7v0v" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bxsolaaa", "id": "311398", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 22, "CVE": 14, "FileHash-MD5": 31, "FileHash-SHA1": 20, "FileHash-SHA256": 30, "YARA": 3, "domain": 40, "hostname": 19 }, "indicator_count": 179, "is_author": false, "is_subscribing": null, "subscriber_count": 2, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2f13832155bc5dfad296d", "name": "FINALDRAFT Malware Abuses Outlook for C2 Communications", "description": "A newly discovered cyber espionage campaign has been linked to a threat group known as REF7707, which has been targeting government and academic institutions since November 2024. Researchers said the attackers infiltrated a foreign ministry in South America, along with a university and a telecom company in Southeast Asia, using advanced malware with remote access capabilities.", "modified": "2025-03-19T08:03:48.856000", "created": "2025-02-17T08:20:08.494000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 215, "modified_text": "437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af309efc6f5de1cd9ef928", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:01:34.802000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67af3355478fdffe2019aa39", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-16T12:05:04.253000", "created": "2025-02-14T12:13:09.070000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707?utm_source=organic-social&utm_medium=twitter&utm_campaign=esl:_threat_research_esl_blog_post&utm_content=16121679496&linkId=746103721" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "440 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67adc07895a547efedcbbf76", "name": "From South America to Southeast Asia: The Fragile Web of REF7707 \u2014 Elastic Security Labs", "description": "A detailed analysis of the malware used to infiltrate a foreign ministry in South America, as part of a multi-million dollar cyber-attack, reveals details about the operation, the tactics and infrastructure used by the attackers.", "modified": "2025-03-15T09:02:47.004000", "created": "2025-02-13T09:50:48.440000", "tags": [ "finaldraft", "ref7707", "virustotal", "guidloader", "microsoft", "labs", "pathloader", "southeast asia", "windows", "security labs", "august", "powershell", "siestagraph", "malware", "agent", "persistence", "hong", "february", "c:\\\\windows\\\\system32\\\\net1" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "C:\\\\Windows\\\\system32\\\\net1", "display_name": "C:\\\\Windows\\\\system32\\\\net1", "target": null }, { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Foreign", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 2, "domain": 8, "hostname": 9 }, "indicator_count": 48, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "441 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67b2be450355dada78bd81ec", "name": "From South America to Southeast Asia: The Fragile Web of REF7707", "description": "", "modified": "2025-03-14T21:04:23.242000", "created": "2025-02-17T04:42:45.282000", "tags": [ "finaldraft", "ref7707", "guidloader", "pathloader", "southeast asia", "windows", "powershell", "siestagraph", "persistence", "linux", "typo squatting", "certutil", "lolbas", "lolbin", "scheduled task", "remote admin" ], "references": [ "https://www.elastic.co/security-labs/fragile-web-ref7707" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PATHLOADER", "display_name": "PATHLOADER", "target": null }, { "id": "FINALDRAFT", "display_name": "FINALDRAFT", "target": null }, { "id": "GUILOADER", "display_name": "GUILOADER", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Telecommunications", "Education", "Government" ], "TLP": "white", "cloned_from": "67ad1528608f24b71bcea41b", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 19, "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "442 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mrd0x.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mrd0x.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200619.732564 }