{ "type": "Domain", "indicator": "obfuscate.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/obfuscate.io", "alexa": "http://www.alexa.com/siteinfo/obfuscate.io", "indicator": "obfuscate.io", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4068785910, "indicator": "obfuscate.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 551992, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "374 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826fd781ceaad59a92471f5", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline", "description": "This article provides an in-depth analysis of the Tycoon 2FA phishing kit, focusing on its continuous evolution and the sophisticated techniques it employs to bypass two-factor authentication (2FA) for Microsoft 365 and Gmail. It explores various evasion mechanisms, including code obfuscation, CAPTCHA checks, and browser fingerprinting, detailing how these methods have changed over time. The study also offers practical tips for detecting Tycoon 2FA attacks, emphasizing the importance of behavioral analysis over signature-based detection.", "modified": "2025-05-16T08:55:20.294000", "created": "2025-05-16T08:55:20.294000", "tags": [ "tycoon", "mechanism", "stage", "captcha", "shift", "april", "captchas", "mechanisms", "phaas", "tycoon2fa", "generic", "telegram", "august", "false", "model", "error", "stages", "saad tycoon" ], "references": [ "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 25, "domain": 4, "hostname": 24 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "379 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/", "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf" ], "related": { "alienvault": { "adversary": [ "Silver Fox" ], "malware_families": [ "Valleyrat", "Rustsl", "Winos 4.0", "Abcdoor" ], "industries": [ "Transportation", "Retail", "Manufacturing" ] }, "other": { "adversary": [ "Silver Fox", "Saad Tycoon" ], "malware_families": [ "Abcdoor", "Valleyrat", "Rustsl", "Winos 4.0", "Encrypted" ], "industries": [ "Transportation", "Retail", "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 551992, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "15 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851011a6c087abfa19e269b", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms", "description": "The evolution of cybercriminals\u2019s tactics for bypassing two-factor authentication (2FA) is revealed in a study by security researchers at the Institute for Strategic Studies (ISS).", "modified": "2025-06-17T05:52:06.768000", "created": "2025-06-17T05:46:02.707000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "telegram", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/", "https://socradar.io/tycoon-2fa-an-evolving-phishing-kit-phaas-threats/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 51, "domain": 4, "hostname": 25 }, "indicator_count": 81, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "347 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ce996ee00bc29988d4ed4", "name": "Tycoon 2FA: Advanced Evasion Techniques in Phishing-as-a-Service", "description": "In May 2025, ANY.RUN researchers detailed the evolution of the Tycoon 2FA phishing kit, which targets Microsoft 365 and Gmail credentials. This Phishing-as-a-Service (PhaaS) platform employs sophisticated evasion techniques, including dynamic code generation, obfuscation, and traffic filtering, to bypass two-factor authentication (2FA) defenses. The kit uses an Adversary-in-the-Middle (AiTM) approach to capture session cookies, allowing attackers to reuse sessions and evade security measures. The continuous updates and enhancements in Tycoon 2FA's evasion tactics highlight the persistent threat it poses to corporate defenses.", "modified": "2025-05-20T20:44:06.988000", "created": "2025-05-20T20:44:06.988000", "tags": [ "tycoon", "stage", "mechanism", "april", "redirect", "attack detected", "ctrl", "page", "captcha", "post request", "shift", "meta", "generic", "august", "find", "false", "model", "error", "stages", "date", "manipulation", "invisible", "saad tycoon", "encrypted" ], "references": [ "https://any.run/cybersecurity-blog/tycoon2fa-evasion-analysis/" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [ { "id": "Encrypted", "display_name": "Encrypted", "target": null } ], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 39, "domain": 4, "hostname": 26 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "374 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6826fd781ceaad59a92471f5", "name": "Evolution of Tycoon 2FA Defense Evasion Mechanisms: Analysis and Timeline", "description": "This article provides an in-depth analysis of the Tycoon 2FA phishing kit, focusing on its continuous evolution and the sophisticated techniques it employs to bypass two-factor authentication (2FA) for Microsoft 365 and Gmail. It explores various evasion mechanisms, including code obfuscation, CAPTCHA checks, and browser fingerprinting, detailing how these methods have changed over time. The study also offers practical tips for detecting Tycoon 2FA attacks, emphasizing the importance of behavioral analysis over signature-based detection.", "modified": "2025-05-16T08:55:20.294000", "created": "2025-05-16T08:55:20.294000", "tags": [ "tycoon", "mechanism", "stage", "captcha", "shift", "april", "captchas", "mechanisms", "phaas", "tycoon2fa", "generic", "telegram", "august", "false", "model", "error", "stages", "saad tycoon" ], "references": [ "https://medium.com/@anyrun/evolution-of-tycoon-2fa-defense-evasion-mechanisms-analysis-and-timeline-6ec263227daf" ], "public": 1, "adversary": "Saad Tycoon", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 25, "domain": 4, "hostname": 24 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "379 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "obfuscate.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "obfuscate.io", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780165478.5560105 }