{ "type": "Domain", "indicator": "msec.live", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/msec.live", "alexa": "http://www.alexa.com/siteinfo/msec.live", "indicator": "msec.live", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3536401049, "indicator": "msec.live", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "62fce38c1455a7d74ea783dd", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "Over the past 3 years, Recorded Future have observed RedAlpha registering\nand weaponizing hundreds of domains spoofing organizations\nsuch as the International Federation for Human Rights (FIDH),\nAmnesty International, the Mercator Institute for China Studies\n(MERICS), Radio Free Asia (RFA), the American Institute in Taiwan\n(AIT), and other global government, think tank, and humanitarian\norganizations that fall within the strategic interests of the Chinese\ngovernment. Historically, the group has also engaged in direct\ntargeting of ethnic and religious minorities, including individuals\nand organizations within Tibetan and Uyghur communities. As\nhighlighted within this report, in recent years RedAlpha has also\ndisplayed a particular interest in spoofing political, government,\nand think tank organizations in Taiwan, likely in an effort to\ngather political intelligence.", "modified": "2022-08-17T12:48:11.631000", "created": "2022-08-17T12:48:11.631000", "tags": [ "RedAlpha", "Theft", "Credential" ], "references": [ "https://raw.githubusercontent.com/Insikt-Group/Research/9571bd788b9ca122ffa8078a3e562da0ebe566b1/RedAlpha%20-%20June%202022/RedAlpha%20June%202022%20Indicators.txt", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf" ], "public": 1, "adversary": "RedAlpha", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 463, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 439 }, "indicator_count": 451, "is_author": false, "is_subscribing": null, "subscriber_count": 386530, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fe567ad45469d23af3df9c", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "Hackers are using Amazon.com (AWC) as a way to steal users' credentials, according to researchers at Check Point. and the firm is providing an attack brief for the first time.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T15:10:50.991000", "tags": [ "redalpha", "taiwan", "future", "fidh", "merics", "china", "ttps", "editor", "red dev", "june", "njrat", "reddelta", "outside", "zimbra" ], "references": [ "Recorded Future _ RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations.pdf", "https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 451 }, "indicator_count": 481, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fdd954f003a652cc537542", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "", "modified": "2022-08-18T06:16:52.496000", "created": "2022-08-18T06:16:52.496000", "tags": [], "references": [ "https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 439 }, "indicator_count": 478, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1382 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf", "https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank", "https://raw.githubusercontent.com/Insikt-Group/Research/9571bd788b9ca122ffa8078a3e562da0ebe566b1/RedAlpha%20-%20June%202022/RedAlpha%20June%202022%20Indicators.txt", "Recorded Future _ RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations.pdf" ], "related": { "alienvault": { "adversary": [ "RedAlpha" ], "malware_families": [], "industries": [ "Government", "Education" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "62fce38c1455a7d74ea783dd", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "Over the past 3 years, Recorded Future have observed RedAlpha registering\nand weaponizing hundreds of domains spoofing organizations\nsuch as the International Federation for Human Rights (FIDH),\nAmnesty International, the Mercator Institute for China Studies\n(MERICS), Radio Free Asia (RFA), the American Institute in Taiwan\n(AIT), and other global government, think tank, and humanitarian\norganizations that fall within the strategic interests of the Chinese\ngovernment. Historically, the group has also engaged in direct\ntargeting of ethnic and religious minorities, including individuals\nand organizations within Tibetan and Uyghur communities. As\nhighlighted within this report, in recent years RedAlpha has also\ndisplayed a particular interest in spoofing political, government,\nand think tank organizations in Taiwan, likely in an effort to\ngather political intelligence.", "modified": "2022-08-17T12:48:11.631000", "created": "2022-08-17T12:48:11.631000", "tags": [ "RedAlpha", "Theft", "Credential" ], "references": [ "https://raw.githubusercontent.com/Insikt-Group/Research/9571bd788b9ca122ffa8078a3e562da0ebe566b1/RedAlpha%20-%20June%202022/RedAlpha%20June%202022%20Indicators.txt", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf" ], "public": 1, "adversary": "RedAlpha", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134.001", "name": "Token Impersonation/Theft", "display_name": "T1134.001 - Token Impersonation/Theft" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 463, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 439 }, "indicator_count": 451, "is_author": false, "is_subscribing": null, "subscriber_count": 386530, "modified_text": "1383 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fe567ad45469d23af3df9c", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "Hackers are using Amazon.com (AWC) as a way to steal users' credentials, according to researchers at Check Point. and the firm is providing an attack brief for the first time.", "modified": "2022-09-17T00:02:49.667000", "created": "2022-08-18T15:10:50.991000", "tags": [ "redalpha", "taiwan", "future", "fidh", "merics", "china", "ttps", "editor", "red dev", "june", "njrat", "reddelta", "outside", "zimbra" ], "references": [ "Recorded Future _ RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations.pdf", "https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 451 }, "indicator_count": 481, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1352 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fdd954f003a652cc537542", "name": "RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations", "description": "", "modified": "2022-08-18T06:16:52.496000", "created": "2022-08-18T06:16:52.496000", "tags": [], "references": [ "https://www.recordedfuture.com/redalpha-credential-theft-campaign-targeting-humanitarian-thinktank", "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 9, "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "domain": 439 }, "indicator_count": 478, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1382 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "msec.live", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "msec.live", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780231868.2365897 }