{ "type": "Domain", "indicator": "officehoster.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/officehoster.com", "alexa": "http://www.alexa.com/siteinfo/officehoster.com", "indicator": "officehoster.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3445221669, "indicator": "officehoster.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "628380e1d73eb199b249f58a", "name": "Operation RestyLink: APT campaign targeting Japanese companies", "description": "NTT SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. They think that this campaign had already started in March 2022 and related attack might have performed around October 2021. It implies that this campaign is not temporary nor intensive, and it could continue from here forward.", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-17T11:02:56.281000", "tags": [ "APT", "Japan", "spear phishing", "email", "LNK", "malicious document" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 262, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "1445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627b9aa3b3842d989f57bfe6", "name": "Operation RestyLink: Targeted attack campaign targeting Japanese companies", "description": "Since mid- April 2022 , multiple organizations have been observing targeted attack campaigns targeting Japanese companies. This attack campaign is believed to have been active in March 2022 , and it is possible that a related attack was also underway in October 2021 . For this reason, it is possible that attacks will continue in the future, rather than short-term, one-off attack campaigns.", "modified": "2022-06-10T00:04:38.296000", "created": "2022-05-11T11:14:42.420000", "tags": [ "darkhotel", "cobalt strike", "RestyLink", "LNK file" ], "references": [ "https://insight--jp-nttsecurity-com.translate.goog/post/102ho8o/operation-restylink?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en" ], "public": 1, "adversary": "DarkHotel", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 270, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386553, "modified_text": "1451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62831ddf1d23b20a28c75d2a", "name": "Operation RestyLink: APT campaign targeting Japanese companies", "description": "An APT campaign targeting Japanese companies started in mid-April 2022 and may have performed a similar attack around October 2021, according to NTT Security Japan's research team and its security analyst Rintaro Koike.", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-17T04:00:31.752000", "tags": [ "cobalt strike", "golang", "apt29", "japan", "dot file", "april", "lnk file", "dll file", "apt group", "march", "october", "microsoft word", "darkhotel", "virustotal", "covenant", "config", "kimsuky", "malware", "wellmess", "june", "panda" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 8, "email": 1, "hostname": 3 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627ba17db442ec1f57721015", "name": "RestyLink", "description": "The full text of the text and characters on the server below: \u00c2\u00a31.5m.. (\u20ac2.4m; $3.6m)...-", "modified": "2022-06-10T00:04:38.296000", "created": "2022-05-11T11:43:57.325000", "tags": [], "references": [ "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", "https://insight--jp-nttsecurity-com.translate.goog/post/102ho8o/operation-restylink?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en", "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink" ], "related": { "alienvault": { "adversary": [ "DarkHotel", "APT29" ], "malware_families": [ "Cobalt strike - s0154" ], "industries": [] }, "other": { "adversary": [ "APT29" ], "malware_families": [ "Golang", "Cobalt strike" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "628380e1d73eb199b249f58a", "name": "Operation RestyLink: APT campaign targeting Japanese companies", "description": "NTT SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. They think that this campaign had already started in March 2022 and related attack might have performed around October 2021. It implies that this campaign is not temporary nor intensive, and it could continue from here forward.", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-17T11:02:56.281000", "tags": [ "APT", "Japan", "spear phishing", "email", "LNK", "malicious document" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "Japan" ], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 262, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 386551, "modified_text": "1445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627b9aa3b3842d989f57bfe6", "name": "Operation RestyLink: Targeted attack campaign targeting Japanese companies", "description": "Since mid- April 2022 , multiple organizations have been observing targeted attack campaigns targeting Japanese companies. This attack campaign is believed to have been active in March 2022 , and it is possible that a related attack was also underway in October 2021 . For this reason, it is possible that attacks will continue in the future, rather than short-term, one-off attack campaigns.", "modified": "2022-06-10T00:04:38.296000", "created": "2022-05-11T11:14:42.420000", "tags": [ "darkhotel", "cobalt strike", "RestyLink", "LNK file" ], "references": [ "https://insight--jp-nttsecurity-com.translate.goog/post/102ho8o/operation-restylink?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en" ], "public": 1, "adversary": "DarkHotel", "targeted_countries": [ "Japan" ], "malware_families": [ { "id": "Cobalt Strike - S0154", "display_name": "Cobalt Strike - S0154", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1137", "name": "Office Application Startup", "display_name": "T1137 - Office Application Startup" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 270, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386553, "modified_text": "1451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62831ddf1d23b20a28c75d2a", "name": "Operation RestyLink: APT campaign targeting Japanese companies", "description": "An APT campaign targeting Japanese companies started in mid-April 2022 and may have performed a similar attack around October 2021, according to NTT Security Japan's research team and its security analyst Rintaro Koike.", "modified": "2022-06-16T00:01:26.112000", "created": "2022-05-17T04:00:31.752000", "tags": [ "cobalt strike", "golang", "apt29", "japan", "dot file", "april", "lnk file", "dll file", "apt group", "march", "october", "microsoft word", "darkhotel", "virustotal", "covenant", "config", "kimsuky", "malware", "wellmess", "june", "panda" ], "references": [ "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies" ], "public": 1, "adversary": "APT29", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Golang", "display_name": "Golang", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 8, "email": 1, "hostname": 3 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 107, "modified_text": "1445 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "627ba17db442ec1f57721015", "name": "RestyLink", "description": "The full text of the text and characters on the server below: \u00c2\u00a31.5m.. (\u20ac2.4m; $3.6m)...-", "modified": "2022-06-10T00:04:38.296000", "created": "2022-05-11T11:43:57.325000", "tags": [], "references": [ "https://insight-jp.nttsecurity.com/post/102ho8o/operation-restylink" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "1451 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "officehoster.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "officehoster.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780242626.037098 }