{ "type": "Domain", "indicator": "mysqlserver.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/mysqlserver.org", "alexa": "http://www.alexa.com/siteinfo/mysqlserver.org", "indicator": "mysqlserver.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3546499829, "indicator": "mysqlserver.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 29, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386652, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513b48fc15b29e096cc0883", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T04:01:31.874000", "created": "2023-09-27T04:50:23.854000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "948 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513dba95e9f04e377e80ec6", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:37:13.684000", "created": "2023-09-27T07:37:13.684000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "6513d2f4bd7a777522384d5c", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d2f4bd7a777522384d5c", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T07:00:04.025000", "created": "2023-09-27T07:00:04.025000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6513d29aa4726d5d22c9dbc9", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-09-27T06:58:34.207000", "created": "2023-09-27T06:58:34.207000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "65134c8e56a09724279d94a3", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "978 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c3a09af58f85f39cb9fdd0", "name": "Threatview.io C2 Hunt Feed", "description": "Infrastructure hosting Command & Control Servers found during Proactive Hunt by Threatview.io", "modified": "2023-08-27T11:04:21.859000", "created": "2023-07-28T11:03:54.265000", "tags": [ "hunter", "pm utc", "am utc", "september", "august", "february", "january", "june", "april", "october", "media", "date", "comment" ], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 543, "hostname": 120 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634d45069bd7a94c865b63fe", "name": "Cobalt Strike C2 | 10/10/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 10/10/2022.", "modified": "2022-11-16T00:01:47.762000", "created": "2022-10-17T12:05:26.478000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1293 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63440a72bf909b9d5ae243d9", "name": "Cobalt Strike C2 | 10/03/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 10/03/2022.", "modified": "2022-11-09T00:03:32.403000", "created": "2022-10-10T12:05:06.796000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1300 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63440a6eb04ff58541ca2d32", "name": "Cobalt Strike Servers & C2 | 10/03/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 10/03/2022.", "modified": "2022-11-09T00:03:32.403000", "created": "2022-10-10T12:05:02.812000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1300 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633acfdd2a37e5a86ea722df", "name": "Cobalt Strike C2 | 09/26/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/26/2022.", "modified": "2022-11-02T00:03:22.684000", "created": "2022-10-03T12:04:45.197000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633acfdabbb4d987e51f72cd", "name": "Cobalt Strike Servers & C2 | 09/26/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/26/2022.", "modified": "2022-11-02T00:03:22.684000", "created": "2022-10-03T12:04:42.746000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1307 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "633195623f657ee1f67a703c", "name": "Cobalt Strike C2 | 09/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/19/2022.", "modified": "2022-10-26T00:03:18.189000", "created": "2022-09-26T12:04:50.661000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "1314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6331956040a253134deba5a5", "name": "Cobalt Strike Servers & C2 | 09/19/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/19/2022.", "modified": "2022-10-26T00:03:18.189000", "created": "2022-09-26T12:04:48.236000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1314 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63285aed18a5213ce5640e6d", "name": "Cobalt Strike C2 | 09/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/12/2022.", "modified": "2022-10-19T00:05:03.577000", "created": "2022-09-19T12:05:01.708000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "1321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "63285aebad35eb7ee1046b80", "name": "Cobalt Strike Servers & C2 | 09/12/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/12/2022.", "modified": "2022-10-19T00:05:03.577000", "created": "2022-09-19T12:04:59.048000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1321 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6322690def6daff91d195843", "name": "Twitter Feed - 1ZRR4H - 14-09-2022", "description": "", "modified": "2022-10-14T23:04:03.309000", "created": "2022-09-14T23:51:41.528000", "tags": [ "CobaltStrike" ], "references": [ "https://twitter.com/1ZRR4H/status/1569937644183773185", "https://twitter.com/1ZRR4H/status/1570193488012251139" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3, "URL": 5, "hostname": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6321fb93c107ae79bb3cd17b", "name": "Cobalt Strike C2 - cryptolaemus - 9-14-22", "description": "https://twitter.com/Cryptolaemus1/status/1570039851633762306", "modified": "2022-10-14T16:13:54.301000", "created": "2022-09-14T16:04:35.886000", "tags": [ "Cobalt Strike", "Command & Control" ], "references": [ "Cobalt Strike C2 - cryptolaemus - 9-14-22.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "1325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "631f206c5854bcf38c2c30c8", "name": "Cobalt Strike C2 | 09/05/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. We then pull them down and extract the beacon config for analysis. The IPs and domains in this pulse are the C2 hosts extracted from those configs. These servers were scanned the week of 09/05/2022.", "modified": "2022-10-12T00:05:41.896000", "created": "2022-09-12T12:05:00.475000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "1328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "631f20691b7a824546287c13", "name": "Cobalt Strike Servers & C2 | 09/05/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 09/05/2022.", "modified": "2022-10-12T00:05:41.896000", "created": "2022-09-12T12:04:57.307000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6315e615d4a3df3558b40f6a", "name": "Cobalt Strike Servers & C2 | 08/29/2022", "description": "IronNet Threat Analysts scan the web searching for hosts that are serving Cobalt Strike beacons. These indicators are hosting Cobalt Strike payloads and are the C2 according to their configs. These servers were scanned the week of 08/29/2022.", "modified": "2022-10-05T00:01:41.930000", "created": "2022-09-05T12:05:41.138000", "tags": [ "Cobalt Strike" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IronNetTR", "id": "135317", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_135317/resized/80/avatar_3be4d4773d.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "1335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "Aug1.pdf", "Cobalt Strike C2 - cryptolaemus - 9-14-22.csv", "https://twitter.com/1ZRR4H/status/1570193488012251139", "https://twitter.com/1ZRR4H/status/1569937644183773185", "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt", "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple" ], "malware_families": [ "", "Cobalt strike - s0154" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 29, "pulses": [ { "id": "65134c8e56a09724279d94a3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "The Ransomware-as-a-Service (RaaS) market is a fast-moving one. Prominent RaaS or affiliate groups can form, wreak havoc, and disband all within a short period of time. In Hi-Tech Crime Trends 2022/2023, Group-IB Threat Intelligence\u2019s review of the top cyber threats, our researchers predicted that the RaaS industry will continue to grow rapidly and that numerous new gangs would likely appear on the block. In this blog, we\u2019ll detail what we believe to be a new RaaS group that appears to operate differently from the rest: Enter ShadowSyndicate.", "modified": "2023-12-17T00:02:57.642000", "created": "2023-09-26T21:26:37.884000", "tags": [ "Cobalt Strike", "ShadowSyndicate", "SSH", "Quantum ransomware", "IcedID", "Matanbuchus" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1471", "name": "Data Encrypted for Impact", "display_name": "T1471 - Data Encrypted for Impact" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 475, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386652, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68427c0a165a609d28ed52b0", "name": "cobalt", "description": "", "modified": "2026-02-03T02:41:03.267000", "created": "2025-06-06T05:26:34.964000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 598, "email": 1, "hostname": 215 }, "indicator_count": 816, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676eecd99a3f9ed2923aa4c1", "name": "CobaltStrike C2", "description": "", "modified": "2025-01-26T18:03:37.147000", "created": "2024-12-27T18:07:21.839000", "tags": [], "references": [ "https://threatview.io/Downloads/High-Confidence-CobaltStrike-C2%20-Feeds.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 596, "email": 1, "hostname": 173 }, "indicator_count": 772, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "490 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65250b33cd82629b184a2892", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player?", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-10T08:28:35.806000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "651ed59f24821c3a8fee9155", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santravault1", "id": "217419", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_217419/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 75, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651ed59f24821c3a8fee9155", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-04T15:01:12.263000", "created": "2023-10-05T15:26:23.365000", "tags": [], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651d941a5b6307a52d3a44a1", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-11-03T16:01:01.291000", "created": "2023-10-04T16:34:34.131000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "940 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65157d1358a3107b2ee5f055", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-28T13:00:32.089000", "created": "2023-09-28T13:18:11.640000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cyber74Team", "id": "202637", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_202637/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 165, "modified_text": "946 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65140b17488d4f507c0050c3", "name": "Dusting for fingerprints: ShadowSyndicate, a new RaaS player? | Group-IB Blog", "description": "", "modified": "2023-10-27T10:02:00.427000", "created": "2023-09-27T10:59:35.797000", "tags": [ "cobalt strike", "shadowsyndicate", "nokoyawa", "september", "strong", "alphv", "cl0p", "april", "list a", "november", "august", "royal", "panama", "icedid", "unknown", "play", "february", "sliver", "conti", "ryuk", "june", "play ransomware", "matanbuchus", "meterpreter", "trickbot", "team", "metasploit", "shell", "tools", "gootloader", "comment", "karakurt", "ransomexx", "revil", "malspam", "nemty", "blackcat" ], "references": [ "https://www.group-ib.com/blog/shadowsyndicate-raas/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 33, "hostname": 7 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "947 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "mysqlserver.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "mysqlserver.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780306815.1762 }