{ "type": "Domain", "indicator": "mydropboxinternal.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mydropboxinternal.com", "alexa": "http://www.alexa.com/siteinfo/mydropboxinternal.com", "indicator": "mydropboxinternal.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4335592426, "indicator": "mydropboxinternal.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a019872d2134a70b4d8a5bf", "name": "Inside a phishing panel", "description": "Security researchers gained direct access to Doko's Panel, a real-time phishing platform used in criminal campaigns by ShinyHunters and BlackFile groups. The investigation revealed four distinct infrastructure clusters operating independently customized variants of the tooling. Attacks combine voice phishing with adversary-in-the-middle techniques targeting enterprise identity providers like Okta, Microsoft, and Google, as well as cryptocurrency exchanges. Operators call victims impersonating IT helpdesk staff, directing them to combosquatted domains where credentials and MFA tokens are manually relayed in real-time. Confirmed breaches include SoundCloud (30M records), Match Group (10M records), Betterment (20M records), and Crunchbase. Over 400 domains have been identified linked to these operations. Evidence shows extensive use of AI language models in developing phishing infrastructure, with operators leveraging legitimate services to rapidly deploy and rotate attack infrastructure.", "modified": "2026-05-11T09:51:30.463000", "created": "2026-05-11T08:50:58.648000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552311, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "22 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02ae2646130ca477596d9b", "name": "Inside a phishing panel", "description": "", "modified": "2026-05-12T04:35:50.590000", "created": "2026-05-12T04:35:50.590000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": "6a019872d2134a70b4d8a5bf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.csv", "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "related": { "alienvault": { "adversary": [ "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240" ], "malware_families": [], "industries": [ "Hospitality", "Finance", "Education", "Aerospace", "Healthcare", "Technology" ] }, "other": { "adversary": [ "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [], "industries": [ "Hospitality", "Finance", "Education", "Aerospace", "Healthcare", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a019872d2134a70b4d8a5bf", "name": "Inside a phishing panel", "description": "Security researchers gained direct access to Doko's Panel, a real-time phishing platform used in criminal campaigns by ShinyHunters and BlackFile groups. The investigation revealed four distinct infrastructure clusters operating independently customized variants of the tooling. Attacks combine voice phishing with adversary-in-the-middle techniques targeting enterprise identity providers like Okta, Microsoft, and Google, as well as cryptocurrency exchanges. Operators call victims impersonating IT helpdesk staff, directing them to combosquatted domains where credentials and MFA tokens are manually relayed in real-time. Confirmed breaches include SoundCloud (30M records), Match Group (10M records), Betterment (20M records), and Crunchbase. Over 400 domains have been identified linked to these operations. Evidence shows extensive use of AI language models in developing phishing infrastructure, with operators leveraging legitimate services to rapidly deploy and rotate attack infrastructure.", "modified": "2026-05-11T09:51:30.463000", "created": "2026-05-11T08:50:58.648000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 552311, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "22 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02ae2646130ca477596d9b", "name": "Inside a phishing panel", "description": "", "modified": "2026-05-12T04:35:50.590000", "created": "2026-05-12T04:35:50.590000", "tags": [ "adversary-in-the-middle", "phishing panel", "vishing", "doko panel", "real-time phishing", "identity provider compromise", "aitm", "session hijacking", "cryptocurrency exchange targeting" ], "references": [ "https://pushsecurity.com/blog/inside-criminal-phishing-panel" ], "public": 1, "adversary": "ShinyHunters, BlackFile, UNC6661, UNC6671, UNC6240", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Finance", "Technology", "Healthcare", "Hospitality", "Aerospace", "Education" ], "TLP": "white", "cloned_from": "6a019872d2134a70b4d8a5bf", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mydropboxinternal.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mydropboxinternal.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780191442.3791065 }