{ "type": "Domain", "indicator": "mssoftupdateserver.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mssoftupdateserver.com", "alexa": "http://www.alexa.com/siteinfo/mssoftupdateserver.com", "indicator": "mssoftupdateserver.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4136415266, "indicator": "mssoftupdateserver.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e7758b5be3ab5466a02275", "name": "IOC - Detour Dog: DNS Malware Powers Strela Stealer Campaigns", "description": "Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog.", "modified": "2025-10-09T08:42:51.157000", "created": "2025-10-09T08:42:51.157000", "tags": [], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6221ba135c0619e72e3b7", "name": "assdfghg", "description": "", "modified": "2025-10-08T08:34:35.628000", "created": "2025-10-08T08:34:35.628000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "235 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e4112622320beb71316b4a", "name": "Detour Dog Caught Operating DNS- Based Malware Attacks to Distribute Strela Stealer", "description": "", "modified": "2025-10-06T18:57:42.852000", "created": "2025-10-06T18:57:42.852000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs_Oct week-1.pdf", "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Hive0145", "Multiple APT/Malware" ], "malware_families": [ "Second", "Golo", "Starfish", "Mikrotik", "Strela" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68e81aa6fa499ffa699c90fe", "name": "EbeeOct2025 Pt1", "description": "", "modified": "2025-11-09T00:03:01.593000", "created": "2025-10-09T20:27:18.015000", "tags": [], "references": [ "IOCs_Oct week-1.pdf" ], "public": 1, "adversary": "Multiple APT/Malware", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 53, "URL": 46, "FileHash-MD5": 178, "FileHash-SHA1": 159, "FileHash-SHA256": 287, "CVE": 1, "domain": 71 }, "indicator_count": 795, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "203 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dd98718e1529162e88dac7", "name": "Detour Dog Uses DNS TXT Records to Deliver Strela Stealer", "description": "A malware campaign is using compromised websites worldwide to distribute the Strela Stealer information-stealing malware through a novel technique that abuses DNS TXT records. This method represents a significant evolution in cyber threats, researchers said.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T21:09:05.692000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "211 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68dc1d2412b0e354d73f4831", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "The malware known as \"Detour Dog\" utilizes the Domain Name System (DNS) to execute redirection tactics on tens of thousands of compromised websites globally. Since August 2023, the threat actor behind this malware has been identified and continues to enhance its functionalities beyond simple redirections, now evolving to incorporate remote execution commands via a DNS-based command-and-control (C2) system. The operational methodology involves making server-side DNS requests that remain undetectable to visitors and conditionally redirect users based on their geographic location and device type.\n\nThe two primary malware components linked to this campaign are the \"StarFish Backdoor\" and \"Strela Stealer.\" Strela Stealer, first documented in late 2022, predominantly targets European nations with a focus on Germany.", "modified": "2025-10-30T18:03:11.379000", "created": "2025-09-30T18:10:44.616000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68edfce2513a952356d99a24", "name": "Detour Dog: DNS Malware Powers Strela Stealer Campaigns.", "description": "", "modified": "2025-10-30T18:03:11.379000", "created": "2025-10-14T07:33:54.529000", "tags": [ "detour dog", "strong", "june", "august", "july", "november", "los pollos", "september", "february", "april", "cloud", "service", "protect", "tofsee", "virustotal", "contact", "tools", "speed", "black", "example", "trojan", "test", "path", "defense", "mikrotik", "golo", "second", "starfish", "strela" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "Hive0145", "targeted_countries": [ "Germany" ], "malware_families": [ { "id": "MikroTik", "display_name": "MikroTik", "target": null }, { "id": "Golo", "display_name": "Golo", "target": null }, { "id": "Second", "display_name": "Second", "target": null }, { "id": "StarFish", "display_name": "StarFish", "target": null }, { "id": "Strela", "display_name": "Strela", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": "68dc1d2412b0e354d73f4831", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e7758b5be3ab5466a02275", "name": "IOC - Detour Dog: DNS Malware Powers Strela Stealer Campaigns", "description": "Tens of thousands of websites worldwide are infected with malware that utilizes the Domain Name System (DNS) to conditionally redirect visitors to malicious content. These DNS requests are made server-side, meaning from the website itself, and are not visible to the visitor. We have tracked the threat actor that operates this malware since August 2023. The malicious name server conditionally instructs the website to redirect the visitor based on their location and device type. While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system. We are tracking the threat actor who controls this malware as Detour Dog.", "modified": "2025-10-09T08:42:51.157000", "created": "2025-10-09T08:42:51.157000", "tags": [], "references": [ "https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "234 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e6221ba135c0619e72e3b7", "name": "assdfghg", "description": "", "modified": "2025-10-08T08:34:35.628000", "created": "2025-10-08T08:34:35.628000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 15 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "235 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e4112622320beb71316b4a", "name": "Detour Dog Caught Operating DNS- Based Malware Attacks to Distribute Strela Stealer", "description": "", "modified": "2025-10-06T18:57:42.852000", "created": "2025-10-06T18:57:42.852000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "236 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mssoftupdateserver.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mssoftupdateserver.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780234866.9594688 }