{ "type": "Domain", "indicator": "oastify.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/oastify.com", "alexa": "http://www.alexa.com/siteinfo/oastify.com", "indicator": "oastify.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3385000210, "indicator": "oastify.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 45, "pulses": [ { "id": "69aa0d6928e1b683d3aec3e9", "name": "U42 | CVE Data", "description": "", "modified": "2026-04-04T23:37:39.530000", "created": "2026-03-05T23:10:30.462000", "tags": [ "cve20261731", "beyondtrust", "unit", "php web", "palo alto", "access", "remote support", "sparkrat", "linux", "cve202412356", "vshell", "critical", "alliance", "february", "install", "anydesk", "cookie", "china chopper", "trojan", "powershell", "installer" ], "references": [ "https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "theiceroot", "id": "387322", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "CVE": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 5, "domain": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980cafd5a7e848e3448995", "name": "VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)", "description": "Palo Alto Networks has identified and identified a critical vulnerability in its remote support software, known as CVE-2026-1731, which could allow attackers to execute operating system commands with high privileges.", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:26:36.653000", "tags": [ "cve20261731", "beyondtrust", "unit", "php web", "palo alto", "access", "remote support", "sparkrat", "linux", "cve202412356", "vshell", "critical", "alliance", "february", "install", "anydesk", "cookie", "china chopper", "trojan", "powershell", "installer", "apt27", "emissary panda", "php" ], "references": [ "https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/" ], "public": 1, "adversary": "APT27", "targeted_countries": [], "malware_families": [ { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "BeyondTrust", "display_name": "BeyondTrust", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ncdomsch", "id": "307690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 5, "domain": 2, "hostname": 5 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6874465, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654c34e7efa40976a9dd655b", "name": "SOC2023", "description": "", "modified": "2025-08-17T17:03:38.868000", "created": "2023-11-09T01:24:55.160000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65491efbfc3d9479076431bb", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1714, "FileHash-MD5": 3448, "URL": 727, "hostname": 912, "FileHash-SHA256": 4539, "FileHash-SHA1": 2696, "IPv4": 276, "CIDR": 10, "email": 28 }, "indicator_count": 14350, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682497150a564a6c77dc70a7", "name": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "description": "", "modified": "2025-06-13T13:00:49.961000", "created": "2025-05-14T13:13:57.769000", "tags": [ "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 850, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68241f8569400eac8085bfa4", "name": "CEC Juniper Community", "description": "A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.", "modified": "2025-06-13T04:00:58.344000", "created": "2025-05-14T04:43:49.515000", "tags": [ "cec juniper", "sorry", "css error", "refresh", "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path", "azure ad", "threat", "sta-0048" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "Azure AD", "targeted_countries": [ "China" ], "malware_families": [ { "id": "STA-0048", "display_name": "STA-0048", "target": null }, { "id": "KrustyLoader", "display_name": "KrustyLoader", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Vshell", "display_name": "Vshell", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246da161670e959a9eec", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:29.608000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246c8bf7850b5096828e", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:28.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6765eebf9ec06704f3a6ea68", "name": "CLON IPIF", "description": "", "modified": "2025-01-09T23:04:00.232000", "created": "2024-12-20T22:25:03.407000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2031, "FileHash-MD5": 4171, "URL": 1324, "hostname": 1222, "FileHash-SHA256": 5634, "FileHash-SHA1": 3368, "IPv4": 189, "CIDR": 6, "email": 162 }, "indicator_count": 18107, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758ebc2472100ac75acad69", "name": "2024-DIC-10-Clon", "description": "", "modified": "2025-01-09T23:04:00.232000", "created": "2024-12-11T01:32:50.260000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2030, "FileHash-MD5": 4171, "URL": 1324, "hostname": 1222, "FileHash-SHA256": 5634, "FileHash-SHA1": 3368, "IPv4": 189, "CIDR": 6, "email": 162 }, "indicator_count": 18106, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6732a0b6cc4c5356a823de37", "name": "_CLON_2024_NOV11", "description": "", "modified": "2024-12-11T00:00:21.805000", "created": "2024-11-12T00:26:30.524000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1795, "FileHash-MD5": 3724, "URL": 1028, "hostname": 1096, "FileHash-SHA256": 5030, "FileHash-SHA1": 2927, "IPv4": 189, "CIDR": 6, "email": 28 }, "indicator_count": 15823, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fc23e4c36f0715310e1d95", "name": "SOC_BLOCK_NEW", "description": "", "modified": "2024-03-21T12:11:41.190000", "created": "2024-03-21T12:11:16.345000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 275, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fencesense", "id": "255590", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1715, "FileHash-MD5": 3498, "URL": 729, "hostname": 911, "FileHash-SHA256": 4590, "FileHash-SHA1": 2746, "IPv4": 189, "CIDR": 6, "email": 28 }, "indicator_count": 14412, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "760 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c26056483aa958ffb66a7d", "name": "Update 1: Ivanti SSRF Zero-Day Exploited in Widespread Attacks", "description": "The full list of people who have tested the latest version of the word \"d-n-s.name\" has been published online, on the website of oastify.com,", "modified": "2024-03-07T16:02:27.872000", "created": "2024-02-06T16:37:42.952000", "tags": [ "hash", "sha256", "url http" ], "references": [ "TI Advisory No_ESAF-SOC-TI-283-Update 1 Ivanti SSRF Zero-Day Exploited in Widespread Attacks.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 19, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "774 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "795 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654d3c86525faa802127c327", "name": "Ransomware actor exploits unsupported ColdFusion servers", "description": "", "modified": "2023-12-09T20:05:39.722000", "created": "2023-11-09T20:09:42.513000", "tags": [ "access3b", "t1190", "cobalt strike", "september", "powershell", "beacon", "c210a", "amsicobalta", "nop exec", "ransomware", "lockbit", "coldfusion", "shellcode", "next", "april", "beacons", "cs beacon", "iocs", "tiny turla", "androidhiddadt", "rtfs", "owassrf iocs", "ransomwarehive", "wormwannacry", "indicator" ], "references": [ "https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/", "https://github.com/sophoslabs/IoCs/blob/master/2023-10-ColdFusion-ransomware-IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Beacons", "display_name": "Beacons", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 11, "FileHash-SHA256": 10, "domain": 1, "hostname": 2, "CVE": 6 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a9b042961d3e7a6a564d", "name": "bkp16oct", "description": "", "modified": "2023-12-06T17:04:48.880000", "created": "2023-12-06T17:04:48.880000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1390, "FileHash-SHA256": 3099, "hostname": 769, "FileHash-MD5": 2353, "FileHash-SHA1": 1624, "URL": 590, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 10007, "is_author": false, "is_subscribing": null, "subscriber_count": 113, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a8b5cae685fce7f5231f", "name": "bkp oct 10", "description": "", "modified": "2023-12-06T17:00:37.687000", "created": "2023-12-06T17:00:37.687000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1376, "FileHash-SHA256": 3065, "hostname": 768, "FileHash-MD5": 2320, "FileHash-SHA1": 1591, "URL": 589, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7d02c5746343283fc12", "name": "bkp5o23", "description": "", "modified": "2023-12-06T16:56:48.472000", "created": "2023-12-06T16:56:48.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1365, "FileHash-SHA256": 3021, "hostname": 764, "FileHash-MD5": 2278, "FileHash-SHA1": 1539, "URL": 589, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 9738, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7aaee2e95f7517277d3", "name": "bkp03test", "description": "", "modified": "2023-12-06T16:56:10.492000", "created": "2023-12-06T16:56:10.492000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1362, "FileHash-SHA256": 2891, "hostname": 755, "FileHash-MD5": 2159, "FileHash-SHA1": 1420, "URL": 589, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9356, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a7a346ec10c12d5b15b5", "name": "BKPo3", "description": "", "modified": "2023-12-06T16:56:03.381000", "created": "2023-12-06T16:56:03.381000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1362, "FileHash-SHA256": 2891, "hostname": 755, "FileHash-MD5": 2159, "FileHash-SHA1": 1420, "URL": 589, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9356, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a602c1e9c47280c247e4", "name": "SOC2023", "description": "", "modified": "2023-12-06T16:49:06.159000", "created": "2023-12-06T16:49:06.159000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1420, "FileHash-SHA256": 3123, "hostname": 769, "FileHash-MD5": 2379, "FileHash-SHA1": 1642, "URL": 590, "email": 26, "IPv4": 150, "CIDR": 6 }, "indicator_count": 10105, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a5f81702fdce6c496a1c", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:48:56.950000", "created": "2023-12-06T16:48:56.950000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a5a5f6bf793f823e6397", "name": "Undefined Name", "description": "", "modified": "2023-12-06T16:47:33.032000", "created": "2023-12-06T16:47:33.032000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570a131970ec6097f14145d", "name": "SOC BACKUP 30 agosto 23", "description": "", "modified": "2023-12-06T16:28:33.117000", "created": "2023-12-06T16:28:33.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2285, "FileHash-MD5": 1940, "FileHash-SHA1": 1329, "domain": 1221, "URL": 509, "hostname": 691, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 8155, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709d867a940714a5e7986c", "name": "soc bkp 20jul23", "description": "", "modified": "2023-12-06T16:12:54.283000", "created": "2023-12-06T16:12:54.283000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1808, "FileHash-MD5": 1232, "FileHash-SHA1": 991, "domain": 1138, "URL": 431, "hostname": 546, "email": 26, "IPv4": 142, "CIDR": 6 }, "indicator_count": 6320, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709d02c0ab86d6d480a712", "name": "prueba final9", "description": "", "modified": "2023-12-06T16:10:42.479000", "created": "2023-12-06T16:10:42.479000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1159, "FileHash-SHA256": 1645, "FileHash-SHA1": 913, "domain": 1082, "URL": 353, "email": 25, "hostname": 395, "CIDR": 6 }, "indicator_count": 5578, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709cd0237fe7c1dad22d00", "name": "backup soc 3jul", "description": "", "modified": "2023-12-06T16:09:52.107000", "created": "2023-12-06T16:09:52.107000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1607, "FileHash-MD5": 1121, "FileHash-SHA1": 863, "domain": 1094, "URL": 349, "hostname": 371, "email": 25, "IPv4": 131, "CIDR": 6 }, "indicator_count": 5567, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709c30640281616285e1c3", "name": "Backup_soc_2022_05jun23", "description": "", "modified": "2023-12-06T16:07:12.894000", "created": "2023-12-06T16:07:12.894000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1115, "FileHash-SHA256": 1554, "FileHash-SHA1": 857, "domain": 1079, "URL": 338, "hostname": 368, "email": 25, "IPv4": 131, "CIDR": 6 }, "indicator_count": 5473, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "657093164553ecf08ba4a8bd", "name": "SOC2022ALL", "description": "", "modified": "2023-12-06T15:28:22.905000", "created": "2023-12-06T15:28:22.905000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1345, "FileHash-SHA256": 2819, "hostname": 741, "FileHash-MD5": 2106, "FileHash-SHA1": 1371, "URL": 571, "email": 26, "IPv4": 148, "CIDR": 6 }, "indicator_count": 9133, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654cdfcd1a88f85ae658fd99", "name": "Ransomware actor exploits unsupported ColdFusion servers\u2014but comes away empty-handed - Sophos News", "description": "", "modified": "2023-11-09T15:47:43.146000", "created": "2023-11-09T13:34:05.205000", "tags": [ "access3b", "t1190", "cobalt strike", "september", "powershell", "beacon", "c210a", "amsicobalta", "nop exec", "ransomware", "lockbit", "coldfusion", "shellcode", "next", "april" ], "references": [ "https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 10, "FileHash-SHA256": 1, "domain": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652fd24de743b040e787ab18", "name": "Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains", "description": "", "modified": "2023-11-09T14:05:51.632000", "created": "2023-10-18T12:40:45.347000", "tags": [ "WSFTPSVR_WTM", "C#", "Windows API", "PowerShell", "Curl", "Active Directory (AD)" ], "references": [ "https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": "6527688c53189a058c16e58d", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 19, "domain": 1, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6526a1e8c0915b372a93d992", "name": "Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains", "description": "Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress\u2019 WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities\u2013CVE-2023-40044 and CVE-2023-42657\u2013were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.", "modified": "2023-11-09T14:05:51.632000", "created": "2023-10-11T13:23:52.993000", "tags": [ "WSFTPSVR_WTM", "C#", "Windows API", "PowerShell", "Curl", "Active Directory (AD)" ], "references": [ "https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": "6525605d7e0da326e806369b", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 19, "domain": 1, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 65, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6527688c53189a058c16e58d", "name": "Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains", "description": "", "modified": "2023-11-09T14:05:51.632000", "created": "2023-10-12T03:31:24.409000", "tags": [ "WSFTPSVR_WTM", "C#", "Windows API", "PowerShell", "Curl", "Active Directory (AD)" ], "references": [ "https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": "6525605d7e0da326e806369b", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 19, "domain": 1, "hostname": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "893 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65244392ce4f07fd0c3511ed", "name": "Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains - SentinelOne", "description": "Stay up-to-date with the latest updates from SentinelOne, the world\u2019s leading cybersecurity company, at the OneCon23 event in Las Vegas, USA, on 23 May.", "modified": "2023-11-08T18:03:16.632000", "created": "2023-10-09T18:16:50.126000", "tags": [ "powershell", "attack chain", "c curl", "progress", "variable", "temp", "curl", "ssw0rd123", "moveit transfer", "september", "virustotal", "june" ], "references": [ "https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [ "Information Technology", "Technology", "Legal", "Construction", "Oil And", "Gas", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AL-SOC@ascendlearning.com", "id": "77219", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA1": 19, "URL": 14, "domain": 2, "hostname": 4 }, "indicator_count": 41, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "894 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6346ee707f119521a426ecc9", "name": "SOC2022ALL", "description": "DD", "modified": "2023-10-21T14:02:41.990000", "created": "2022-10-12T16:42:24.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16454, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1490, "FileHash-MD5": 2606, "URL": 611, "hostname": 831, "FileHash-SHA256": 3518, "FileHash-SHA1": 1794, "IPv4": 187, "CIDR": 6, "email": 26 }, "indicator_count": 11069, "is_author": false, "is_subscribing": null, "subscriber_count": 102, "modified_text": "912 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653251ee3fd060e1b50a296a", "name": "Ransomware actor exploits unsupported ColdFusion servers\u2014but comes away empty-handed – Sophos News", "description": "", "modified": "2023-10-20T10:09:50.614000", "created": "2023-10-20T10:09:50.614000", "tags": [ "access3b", "t1190", "cobalt strike", "september", "powershell", "beacon", "c210a", "amsicobalta", "nop exec", "ransomware", "lockbit", "coldfusion", "shellcode", "next", "april" ], "references": [ "https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "JordanPowell@123", "id": "246048", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 10, "FileHash-SHA256": 1, "domain": 1, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "913 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b7e02c04a33afd00e21ff4", "name": "Advisory Report for Adobe ColdFusion Vulnerability", "description": "Hackers are actively exploiting two critical vulnerabilities in Adobe ColdFusion to bypass authentication and remotely execute commands, allowing them to install webshells on vulnerable servers.\nThese are security recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks.", "modified": "2023-08-18T13:01:20.978000", "created": "2023-07-19T13:07:56.486000", "tags": [ "iocs" ], "references": [ "https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/", "https://www.bleepingcomputer.com/news/security/critical-coldfusion-flaws-exploited-in-attacks-to-drop-webshells/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b6a59df2116085edbcc8d5", "name": "Critical flaws of \u201cColdfusion\u201d have been exploited", "description": "", "modified": "2023-08-17T14:04:01.953000", "created": "2023-07-18T14:45:49.750000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "977 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64b654448e76a8cc1dce73a9", "name": "Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities", "description": "Here is a full list of product updates from the Rapid7 Cybersecurity Foundation, which aims to provide a comprehensive guide to all the latest security threats and vulnerabilities on the web, in order to follow.", "modified": "2023-08-17T08:03:39.281000", "created": "2023-07-18T08:58:44.264000", "tags": [ "coldfusion", "adobe", "wddx", "powershell", "webshell", "cve-2023-29298", "cve-2023-29300", "cve-2023-38203" ], "references": [ "https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "FileHash-SHA256": 1, "domain": 1, "hostname": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "977 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63b580a925bb698985fa83ea", "name": "vendor.bundle.js", "description": "", "modified": "2023-02-03T13:00:02.804000", "created": "2023-01-04T13:35:37.535000", "tags": [ "vxstream", "trojan", "apt", "memoryfile scan", "error", "progresstype", "graytext", "typeof e", "highlight", "bg96gwp", "typeof", "window", "null", "date", "span", "path", "meta", "push", "unknown", "roboto", "scroll", "suspicious", "close", "light", "template", "abcd", "android", "trident", "backspace", "insert", "4096", "void", "legend", "iframe", "webview", "infinity", "ransomware", "malicious", "accept toggle", "voice", "upgrade" ], "references": [ "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d", "This website contains the details of an anti-virus scan conducted by the MetaDefender, which aims to identify and remove malware from websites, websites and social media sites, including Facebook, Twitter and YouTube.", "original dropped file discovery url", "http://lifehacker.com/assets/stylesheets/app-a873b056f0ea955e4ff0abebb210e5a6.css", "Making HTTPS connections using insecure TLS/SSL version details Connection was make using TLSv1.1 [tls.handshake.version: 0x00000302] source Network Traffic relevance 10/10 ATT&CK ID T1573 (Show technique in the MITRE ATT&CK\u2122 matrix)", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d/63aef1a83e3bb16765527bb8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 205, "URL": 1340, "FileHash-SHA256": 407, "hostname": 491, "FileHash-MD5": 8, "email": 1, "FileHash-SHA1": 1 }, "indicator_count": 2453, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634752ccc6c6b8204a03691a", "name": "BACKUP BLOC TRR", "description": "", "modified": "2022-11-11T22:01:01.696000", "created": "2022-10-12T23:50:36.404000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6346ee707f119521a426ecc9", "export_count": 1121, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 223, "FileHash-MD5": 1, "URL": 5, "hostname": 59 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "1255 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6218865223c0f1b8596e4428", "name": "NewDom-4-20220225", "description": "ICANN-Dom", "modified": "2022-04-11T00:04:29.819000", "created": "2022-02-25T07:33:38.868000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1470 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "20230816_202710-scantemp.b14ff4bc3a", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "https://github.com/sophoslabs/IoCs/blob/master/2023-10-ColdFusion-ransomware-IOCs.csv", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "strlcatmMvE1V.c", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "@tmp", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", ".org.chromium.Chromium.12ZdF3", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "https://www.sentinelone.com/blog/threat-actors-actively-exploiting-progress-ws_ftp-via-multiple-attack-chains/", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "This website contains the details of an anti-virus scan conducted by the MetaDefender, which aims to identify and remove malware from websites, websites and social media sites, including Facebook, Twitter and YouTube.", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "TI Advisory No_ESAF-SOC-TI-283-Update 1 Ivanti SSRF Zero-Day Exploited in Widespread Attacks.txt", "IOCs.2026.csv", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "stdbool.ht64kj6qw.c", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", ".org.chromium.Chromium.T2jdbS", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "memmemY_2MMv.c", "tmp.ziktUZeKXL", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "albert_yt_ynb2tftv", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "v8-compile-cache-1000", "plasma-csd-generator.LTvjbT", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", ".org.chromium.Chromium.8GBhMA", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "fish.root", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "v8-compile-cache-0", ".org.chromium.Chromium.HMzFxo", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "tmp90lfbdek", "https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "https://www.bleepingcomputer.com/news/security/critical-coldfusion-flaws-exploited-in-attacks-to-drop-webshells/", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", ".vbox-mrkd-ipc", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", ".org.chromium.Chromium.coQnti", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "runtime-root", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "qtsingleapp-Octopi-1d88-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "original dropped file discovery url", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "tmp.D4NXyZ3U4J", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "http://lifehacker.com/assets/stylesheets/app-a873b056f0ea955e4ff0abebb210e5a6.css", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "pytest-of-mrkd", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "strlcpydb8x03.c", "https://hybrid-analysis.com/sample/f90162e65235185a24e9f20d855371b8ad7462d50d7a57851d000cfd5116f76d/63aef1a83e3bb16765527bb8", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "qtsingleapp-Octopi-1d88-3e8", ".X11-unix", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", ".ICE-unix", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "tst-bz26353KOtJVp", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "Making HTTPS connections using insecure TLS/SSL version details Connection was make using TLSv1.1 [tls.handshake.version: 0x00000302] source Network Traffic relevance 10/10 ATT&CK ID T1573 (Show technique in the MITRE ATT&CK\u2122 matrix)", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "N/A", "Azure AD", "APT27", "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo" ], "malware_families": [ "Beyondtrust", "Vshell", "Snowlight", "Threat", "Backdoor:win32/r2d2.a", "Delphi", "Ransom:linux/darkradiation.a!mtb", "Bv:telegrambot-a\\ [trj]", "Trojandownloader:linux/morila!mtb", "Netexecutablemicrosoft", "Slf:mamacsemacro.a", "Trojandropper:win32/fakeflexnet.a", "Beacons", "Php", "Sf:shellcode-dz\\ [trj]", "Sta-0048", "Cobalt strike", "Krustyloader" ], "industries": [ "Construction", "Oil and", "Legal", "Individuals", "Technology", "Critical infrastructure", "Gas", "Healthcare", "Information technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 45, "pulses": [ { "id": "69aa0d6928e1b683d3aec3e9", "name": "U42 | CVE Data", "description": "", "modified": "2026-04-04T23:37:39.530000", "created": "2026-03-05T23:10:30.462000", "tags": [ "cve20261731", "beyondtrust", "unit", "php web", "palo alto", "access", "remote support", "sparkrat", "linux", "cve202412356", "vshell", "critical", "alliance", "february", "install", "anydesk", "cookie", "china chopper", "trojan", "powershell", "installer" ], "references": [ "https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "theiceroot", "id": "387322", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5, "CVE": 12, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 9, "URL": 5, "domain": 2 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "20 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980cafd5a7e848e3448995", "name": "VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)", "description": "Palo Alto Networks has identified and identified a critical vulnerability in its remote support software, known as CVE-2026-1731, which could allow attackers to execute operating system commands with high privileges.", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:26:36.653000", "tags": [ "cve20261731", "beyondtrust", "unit", "php web", "palo alto", "access", "remote support", "sparkrat", "linux", "cve202412356", "vshell", "critical", "alliance", "february", "install", "anydesk", "cookie", "china chopper", "trojan", "powershell", "installer", "apt27", "emissary panda", "php" ], "references": [ "https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/" ], "public": 1, "adversary": "APT27", "targeted_countries": [], "malware_families": [ { "id": "PHP", "display_name": "PHP", "target": null }, { "id": "BeyondTrust", "display_name": "BeyondTrust", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ncdomsch", "id": "307690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 12, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 9, "URL": 5, "domain": 2, "hostname": 5 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 0, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6675c61d2a8e4554b9985027", "name": "BLOCK_2024", "description": "", "modified": "2026-02-04T19:03:11.880000", "created": "2024-06-21T18:27:41.885000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65e899612f5527bad9d4e5a8", "export_count": 6874465, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2306, "FileHash-MD5": 4833, "URL": 1674, "hostname": 1302, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3524, "CIDR": 19, "email": 190, "CVE": 4 }, "indicator_count": 24237, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69404b09d8296388596ecfa9", "name": "BLOCK_2025_DIC", "description": "", "modified": "2025-12-24T16:04:11.529000", "created": "2025-12-15T17:53:13.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2300, "FileHash-MD5": 4833, "URL": 1673, "hostname": 1297, "FileHash-SHA256": 6371, "FileHash-SHA1": 4014, "IPv4": 3235, "CIDR": 19, "email": 170, "CVE": 4 }, "indicator_count": 23916, "is_author": false, "is_subscribing": null, "subscriber_count": 79, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "654c34e7efa40976a9dd655b", "name": "SOC2023", "description": "", "modified": "2025-08-17T17:03:38.868000", "created": "2023-11-09T01:24:55.160000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65491efbfc3d9479076431bb", "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1714, "FileHash-MD5": 3448, "URL": 727, "hostname": 912, "FileHash-SHA256": 4539, "FileHash-SHA1": 2696, "IPv4": 276, "CIDR": 10, "email": 28 }, "indicator_count": 14350, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682497150a564a6c77dc70a7", "name": "China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures", "description": "", "modified": "2025-06-13T13:00:49.961000", "created": "2025-05-14T13:13:57.769000", "tags": [ "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 850, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68241f8569400eac8085bfa4", "name": "CEC Juniper Community", "description": "A report from EclecticIQ on a China-Nexus nation-state cyber-espionage campaign against SAP NetWeaver reveals details of Chinese-speaking attackers' operations and how they target high-value networks.", "modified": "2025-06-13T04:00:58.344000", "created": "2025-05-14T04:43:49.515000", "tags": [ "cec juniper", "sorry", "css error", "refresh", "sap netweaver", "unc5174", "eclecticiq", "krustyloader", "vshell", "clsta0048", "webshell", "snowlight", "apts", "cve202531324", "april", "trojan", "service", "format", "persistence", "sliver", "path", "azure ad", "threat", "sta-0048" ], "references": [ "https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures" ], "public": 1, "adversary": "Azure AD", "targeted_countries": [ "China" ], "malware_families": [ { "id": "STA-0048", "display_name": "STA-0048", "target": null }, { "id": "KrustyLoader", "display_name": "KrustyLoader", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null }, { "id": "Vshell", "display_name": "Vshell", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "SNOWLIGHT", "display_name": "SNOWLIGHT", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "URL": 5, "CVE": 10, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 2 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246da161670e959a9eec", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:29.608000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c246c8bf7850b5096828e", "name": "2024-blocking-soc-ene25", "description": "", "modified": "2025-02-15T00:01:08.338000", "created": "2025-01-31T01:16:28.004000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6675c61d2a8e4554b9985027", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BLOCKINGBLOCK", "id": "211480", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_211480/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2045, "FileHash-MD5": 4426, "URL": 1463, "hostname": 1231, "FileHash-SHA256": 5892, "FileHash-SHA1": 3625, "IPv4": 189, "CIDR": 6, "email": 163 }, "indicator_count": 19040, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "oastify.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "oastify.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776708222.8298445 }