{ "type": "Domain", "indicator": "multifixcargas.com.br", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/multifixcargas.com.br", "alexa": "http://www.alexa.com/siteinfo/multifixcargas.com.br", "indicator": "multifixcargas.com.br", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4324038868, "indicator": "multifixcargas.com.br", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69e9d7f4b00e56e9ebb52338", "name": "Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools", "description": "A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.", "modified": "2026-04-23T08:53:00.730000", "created": "2026-04-23T08:27:32.267000", "tags": [ "adobe lure", "phishing", "phone link", "screenconnect", "uri handler exploitation", "social engineering", "credential harvesting", "password.exe", "remote access" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null }, { "id": "password.exe", "display_name": "password.exe", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "URL": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386434, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb14ae92864b30c2decf54", "name": "oanshdwi", "description": "[ of key facts and statistics:..7 million nameservers, 1.4 million users, 2.3 million visits, and 1,000 visits to Tucows.] pretext", "modified": "2026-05-24T07:51:58.142000", "created": "2026-04-24T06:58:54.987000", "tags": [ "domain", "creation date", "date", "status", "passive dns", "urls", "files ip", "address", "location united", "asn as10352", "height water", "temp", "spotlight", "fast ip", "lookups", "open ports", "vulnerabilities", "internetdb", "marshfield ssl", "certificate", "diesel", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "charter", "inc united", "statesunited", "los angeles", "common name", "build date", "access", "ssl certificate", "gmt server", "http ntlm", "info", "stopped stopped", "service", "engine boots", "engineid data", "irelandireland", "dublin", "path", "target", "format", "encrypt", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "hostname": 209, "URL": 674, "email": 3, "FileHash-MD5": 8, "CVE": 22, "Mutex": 1, "FileHash-SHA256": 67 }, "indicator_count": 1061, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb0b1209cf366fa4f632a7", "name": "osidnahoo", "description": "A look at some of the key events in the search for a secure certificate:- or, rather, a complete list of them - that were not found, as they were reported::.", "modified": "2026-05-24T06:33:56.814000", "created": "2026-04-24T06:17:54.861000", "tags": [ "common name", "date", "gmt contenttype", "statesunited", "server", "found", "moved", "ssl certificate", "issued", "gmt connection", "info", "encrypt", "contact", "ovh telecom", "francefrance", "paris", "sitch message", "home", "softcom gmbh", "germanygermany", "berlin ssl", "certificate", "v3 teletech", "pte ltd", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "comcast ip", "derry village", "comcast cable", "communications", "llc united", "boston", "premium" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 16, "domain": 12, "hostname": 25, "email": 2, "FileHash-SHA256": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb0b13472f13e2e8b70a32", "name": "osidnahoo", "description": "A look at some of the key events in the search for a secure certificate:- or, rather, a complete list of them - that were not found, as they were reported::.", "modified": "2026-05-24T06:33:56.814000", "created": "2026-04-24T06:17:55.366000", "tags": [ "common name", "date", "gmt contenttype", "statesunited", "server", "found", "moved", "ssl certificate", "issued", "gmt connection", "info", "encrypt", "contact", "ovh telecom", "francefrance", "paris", "sitch message", "home", "softcom gmbh", "germanygermany", "berlin ssl", "certificate", "v3 teletech", "pte ltd", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "comcast ip", "derry village", "comcast cable", "communications", "llc united", "boston", "premium" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "URL": 157, "domain": 236, "hostname": 295, "email": 7, "FileHash-SHA256": 252, "FileHash-MD5": 4 }, "indicator_count": 967, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eaf8302d013c66b8a8493c", "name": "Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools", "description": "", "modified": "2026-04-24T04:57:20.063000", "created": "2026-04-24T04:57:20.063000", "tags": [ "adobe lure", "phishing", "phone link", "screenconnect", "uri handler exploitation", "social engineering", "credential harvesting", "password.exe", "remote access" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null }, { "id": "password.exe", "display_name": "password.exe", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e9d7f4b00e56e9ebb52338", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "URL": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Password.exe", "Screenconnect" ], "industries": [] }, "other": { "adversary": [ "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot" ], "malware_families": [ "Password.exe", "Screenconnect" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69e9d7f4b00e56e9ebb52338", "name": "Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools", "description": "A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure.", "modified": "2026-04-23T08:53:00.730000", "created": "2026-04-23T08:27:32.267000", "tags": [ "adobe lure", "phishing", "phone link", "screenconnect", "uri handler exploitation", "social engineering", "credential harvesting", "password.exe", "remote access" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null }, { "id": "password.exe", "display_name": "password.exe", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "URL": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386434, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "5 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb14ae92864b30c2decf54", "name": "oanshdwi", "description": "[ of key facts and statistics:..7 million nameservers, 1.4 million users, 2.3 million visits, and 1,000 visits to Tucows.] pretext", "modified": "2026-05-24T07:51:58.142000", "created": "2026-04-24T06:58:54.987000", "tags": [ "domain", "creation date", "date", "status", "passive dns", "urls", "files ip", "address", "location united", "asn as10352", "height water", "temp", "spotlight", "fast ip", "lookups", "open ports", "vulnerabilities", "internetdb", "marshfield ssl", "certificate", "diesel", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "charter", "inc united", "statesunited", "los angeles", "common name", "build date", "access", "ssl certificate", "gmt server", "http ntlm", "info", "stopped stopped", "service", "engine boots", "engineid data", "irelandireland", "dublin", "path", "target", "format", "encrypt", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "hostname": 209, "URL": 674, "email": 3, "FileHash-MD5": 8, "CVE": 22, "Mutex": 1, "FileHash-SHA256": 67 }, "indicator_count": 1061, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb0b1209cf366fa4f632a7", "name": "osidnahoo", "description": "A look at some of the key events in the search for a secure certificate:- or, rather, a complete list of them - that were not found, as they were reported::.", "modified": "2026-05-24T06:33:56.814000", "created": "2026-04-24T06:17:54.861000", "tags": [ "common name", "date", "gmt contenttype", "statesunited", "server", "found", "moved", "ssl certificate", "issued", "gmt connection", "info", "encrypt", "contact", "ovh telecom", "francefrance", "paris", "sitch message", "home", "softcom gmbh", "germanygermany", "berlin ssl", "certificate", "v3 teletech", "pte ltd", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "comcast ip", "derry village", "comcast cable", "communications", "llc united", "boston", "premium" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 16, "domain": 12, "hostname": 25, "email": 2, "FileHash-SHA256": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eb0b13472f13e2e8b70a32", "name": "osidnahoo", "description": "A look at some of the key events in the search for a secure certificate:- or, rather, a complete list of them - that were not found, as they were reported::.", "modified": "2026-05-24T06:33:56.814000", "created": "2026-04-24T06:17:55.366000", "tags": [ "common name", "date", "gmt contenttype", "statesunited", "server", "found", "moved", "ssl certificate", "issued", "gmt connection", "info", "encrypt", "contact", "ovh telecom", "francefrance", "paris", "sitch message", "home", "softcom gmbh", "germanygermany", "berlin ssl", "certificate", "v3 teletech", "pte ltd", "taiwantaiwan", "key type", "telefonica de", "spainspain", "barcelona", "time", "user port", "stor msam", "rnto nlst", "mkd cdup", "comcast ip", "derry village", "comcast cable", "communications", "llc united", "boston", "premium" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 16, "URL": 157, "domain": 236, "hostname": 295, "email": 7, "FileHash-SHA256": 252, "FileHash-MD5": 4 }, "indicator_count": 967, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eaf8302d013c66b8a8493c", "name": "Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools", "description": "", "modified": "2026-04-24T04:57:20.063000", "created": "2026-04-24T04:57:20.063000", "tags": [ "adobe lure", "phishing", "phone link", "screenconnect", "uri handler exploitation", "social engineering", "credential harvesting", "password.exe", "remote access" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ScreenConnect", "display_name": "ScreenConnect", "target": null }, { "id": "password.exe", "display_name": "password.exe", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "69e9d7f4b00e56e9ebb52338", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1, "URL": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "36 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "multifixcargas.com.br", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "multifixcargas.com.br", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780156729.478021 }