{ "type": "Domain", "indicator": "nrcsnap.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/nrcsnap.com", "alexa": "http://www.alexa.com/siteinfo/nrcsnap.com", "indicator": "nrcsnap.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4266875073, "indicator": "nrcsnap.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69baa9c0ae4f42f54b4c18ac", "name": "The Rise of Fake Shipment Tracking Scams in MEA", "description": "The \"fake shipment tracking\" scam has emerged as a prevalent cyber threat, particularly exploiting the global reliance on e-commerce and parcel delivery services. Operational mainly since early 2024, its growth surged in 2025, coinciding with holiday shopping periods. This phishing scheme typically initiates through SMS messages that claim delivery failures, urging victims to update their address or pay supposed handling fees to re-deliver their packages. These messages are designed to be urgent and appear official, making victims more likely to engage with the provided links, which direct them to counterfeit tracking pages that aim to steal personal and banking information.", "modified": "2026-03-18T13:33:52.413000", "created": "2026-03-18T13:33:52.413000", "tags": [ "network iocs" ], "references": [ "https://www.group-ib.com/blog/mea-shipment-tracking-scam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [ "Transportation", "Finance", "Government", "Education", "Aerospace" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.4.csv", "https://www.group-ib.com/blog/mea-shipment-tracking-scam/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code " ], "malware_families": [], "industries": [ "Aerospace", "Government", "Transportation", "Finance", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bbbb60a8390fc9a5e0e715", "name": "EbeeMar2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T09:01:20.593000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "email", "xdsfeerdfbn", "chlg url" ], "references": [ "IOCs.2026.4.csv" ], "public": 1, "adversary": "Operation GhostMail, CastleRAT, UNK_NightOwl, Fake Shipment Tracking Scams in MEA, Fake Claude Code ", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 77, "FileHash-MD5": 122, "FileHash-SHA1": 103, "FileHash-SHA256": 164, "CVE": 25, "URL": 58, "domain": 107, "email": 30 }, "indicator_count": 686, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69baa9c0ae4f42f54b4c18ac", "name": "The Rise of Fake Shipment Tracking Scams in MEA", "description": "The \"fake shipment tracking\" scam has emerged as a prevalent cyber threat, particularly exploiting the global reliance on e-commerce and parcel delivery services. Operational mainly since early 2024, its growth surged in 2025, coinciding with holiday shopping periods. This phishing scheme typically initiates through SMS messages that claim delivery failures, urging victims to update their address or pay supposed handling fees to re-deliver their packages. These messages are designed to be urgent and appear official, making victims more likely to engage with the provided links, which direct them to counterfeit tracking pages that aim to steal personal and banking information.", "modified": "2026-03-18T13:33:52.413000", "created": "2026-03-18T13:33:52.413000", "tags": [ "network iocs" ], "references": [ "https://www.group-ib.com/blog/mea-shipment-tracking-scam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" } ], "industries": [ "Transportation", "Finance", "Government", "Education", "Aerospace" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "nrcsnap.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "nrcsnap.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780354940.3761892 }