{ "type": "Domain", "indicator": "otbmail.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/otbmail.com", "alexa": "http://www.alexa.com/siteinfo/otbmail.com", "indicator": "otbmail.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3410370762, "indicator": "otbmail.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "62440b9f3387aac2e17267a6", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T07:49:51.026000", "tags": [ "transparent tribe", "crimsonrat", "india", "obliquerat", "afghanistan", "apt36", "mythic leopard", "apt" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "CrimsonRAT", "display_name": "CrimsonRAT", "target": null }, { "id": "ObliqueRAT", "display_name": "ObliqueRAT", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 297, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386613, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659072f784c47e7b812b36b5", "name": "APT36", "description": "AKA Transparent Tribe, ProjectM, Mythic Leopard, Earth Karkaddan, Copper Fieldstone, TMP.Lapis, C-Major.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-01-29T19:00:22.198000", "created": "2023-12-30T19:43:51.653000", "tags": [ "dem0", "pena", "whatsoevers3r" ], "references": [ "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "public": 1, "adversary": "APT-C-36", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:MSIL/CrimsonRAT", "display_name": "Trojan:MSIL/CrimsonRAT", "target": "/malware/Trojan:MSIL/CrimsonRAT" }, { "id": "Peppy - S0643", "display_name": "Peppy - S0643", "target": null }, { "id": "ObliqueRAT - S0644", "display_name": "ObliqueRAT - S0644", "target": null }, { "id": "DarkComet - S0334", "display_name": "DarkComet - S0334", "target": null }, { "id": "ALF:TrojanDownloader:MSIL/Njrat", "display_name": "ALF:TrojanDownloader:MSIL/Njrat", "target": null } ], "attack_ids": [ { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 87, "FileHash-SHA1": 86, "FileHash-SHA256": 136, "domain": 43, "hostname": 6 }, "indicator_count": 415, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ed65aa7fc09fc7a6a856a", "name": "Government Sector Cyber Threat Intel - Key Insights (March 2022)", "description": "In March, a Transparent Tribe campaign was found targeting the Indian government and military entities. The attacker was infecting victims with CrimsonRAT along with new stagers and implants. Further, the attackers created fake domains mimicking legitimate military and defense organizations.\n\nOther Major Incidents\nCybercriminals identified as Curious Gorge, Ghostwriter APT, and COLDRIVER were targeting NATO and Eastern European countries by launching phishing and malware attacks. Mustang Panda, UNC1151, and SCARAB were using war-related themes to target mostly Ukraine in a spear-phishing campaign. Hong Kong\u2019s electoral office apologized after an employee failed to follow guidelines and sent the personal details of voters to a random email address.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T12:17:30.675000", "tags": [ "dem0", "pena", "domains", "downloaders", "whatsoevers3r", "navy filename", "sha256", "spear phishing", "campaign rtf", "mshtml", "powershell", "crimsonrat", "Government Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 43, "URL": 22, "domain": 20, "hostname": 2 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624afa1411585bad1863aba7", "name": "Transparent Tribe Hacking Group is Back to Target Indian Government and Military", "description": "The Transparent Tribe hacking group is back with a new malware arsenal and victim list including India's government and military. Also tracked as ROJECTM, APT36, and Mythic Leopard, the Transparent Tribe is suspected of being of Pakistani origin.\n\nVictims\nThe APT group is active since at least 2013 and operates in at least 30 countries. However, the APT tends to focus on India and Afghanistan, with the exception being attacks recorded against human rights activists in Pakistan.\n\nLatest campaign\nAn ongoing campaign since at least June 2021 is targeting the Indian government and military bodies. The group uses phishing to deliver maldocs and malicious web domains, which are primarily Windows-based. The fake websites mimic government and defense organizations and serve visitors downloader executables, packaged up to appear to be friendly software, PDFs, or image files.", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T14:00:52.621000", "tags": [ "dem0", "pena", "whatsoevers3r", "iocs maldocs", "downloaders", "crimsonrat", "intermediate", "vhdx", "urls http" ], "references": [ "https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military/#ftag=RSSbaffb68" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 195, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f4013e477e7e5939336a", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T06:09:05.422000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6244361cacf3464c40ff7802", "name": "Transparent Tribe Campaign Uses New Bespoke Malware To Launch Attack", "description": "Transparent Tribe, also known as APT36 and Mythic Leopard continues to create fake domains mimicking legitimate military ad defense organizations. In the latest campaigns, the threat actor have been used multiple delivery methods such as executables masquerading as installers of legitimate applications, archive files and maldocs.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T10:51:08.515000", "tags": [], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 192, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "domain": 6, "hostname": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 254, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62444385c0cc858e1335e4d7", "name": "Transparent Tribe - APT36 using new Bespoke Malware in Campaign", "description": "APT36 using bespoke Malware within their campaigns against Indian Government Officials", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T11:48:21.163000", "tags": [ "APT36", "TransparentTribe", "Mythic Leopard" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:Win32/CrimsonRat", "display_name": "Trojan:Win32/CrimsonRat", "target": "/malware/Trojan:Win32/CrimsonRat" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6242ff9b09c1a8965f943f00", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:46:19.259000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f0d43aecb45c5e8747ee", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-30T05:55:32.684000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": "624321a21f99c3f8abb47ebd", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html", "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military/#ftag=RSSbaffb68", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1" ], "related": { "alienvault": { "adversary": [ "Transparent Tribe" ], "malware_families": [ "Crimsonrat", "Obliquerat" ], "industries": [ "Government", "Military" ] }, "other": { "adversary": [ "APT-C-36", "Informational", "Transparent Tribe" ], "malware_families": [ "Darkcomet - s0334", "Obliquerat - s0644", "Timeline", "Peppy - s0643", "Trojan:msil/crimsonrat", "Alf:trojandownloader:msil/njrat", "Trojan:win32/crimsonrat" ], "industries": [ "Education", "Defense", "Government", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "62440b9f3387aac2e17267a6", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T07:49:51.026000", "tags": [ "transparent tribe", "crimsonrat", "india", "obliquerat", "afghanistan", "apt36", "mythic leopard", "apt" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "CrimsonRAT", "display_name": "CrimsonRAT", "target": null }, { "id": "ObliqueRAT", "display_name": "ObliqueRAT", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 297, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386613, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659072f784c47e7b812b36b5", "name": "APT36", "description": "AKA Transparent Tribe, ProjectM, Mythic Leopard, Earth Karkaddan, Copper Fieldstone, TMP.Lapis, C-Major.\n\nIOCs gathered from social media, other analysts, and individual research.", "modified": "2024-01-29T19:00:22.198000", "created": "2023-12-30T19:43:51.653000", "tags": [ "dem0", "pena", "whatsoevers3r" ], "references": [ "https://www.virustotal.com/gui/collection/56672e6bb7a1f5558d45fc15c5e1c0284ac3dbb180cb9527f069bbc2b125f091", "https://malpedia.caad.fkie.fraunhofer.de/actor/operation_c-major", "https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Transparent%20Tribe%2C%20APT%2036&n=1", "https://www.welivesecurity.com/2023/03/07/love-scam-espionage-transparent-tribe-lures-indian-pakistani-officials/", "https://www.zscaler.com/blogs/security-research/apt-36-uses-new-ttps-and-new-tools-target-indian-governmental-organizations", "https://blog.talosintelligence.com/transparent-tribe-new-campaign/", "https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html" ], "public": 1, "adversary": "APT-C-36", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:MSIL/CrimsonRAT", "display_name": "Trojan:MSIL/CrimsonRAT", "target": "/malware/Trojan:MSIL/CrimsonRAT" }, { "id": "Peppy - S0643", "display_name": "Peppy - S0643", "target": null }, { "id": "ObliqueRAT - S0644", "display_name": "ObliqueRAT - S0644", "target": null }, { "id": "DarkComet - S0334", "display_name": "DarkComet - S0334", "target": null }, { "id": "ALF:TrojanDownloader:MSIL/Njrat", "display_name": "ALF:TrojanDownloader:MSIL/Njrat", "target": null } ], "attack_ids": [ { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1608.004", "name": "Drive-by Target", "display_name": "T1608.004 - Drive-by Target" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1587.003", "name": "Digital Certificates", "display_name": "T1587.003 - Digital Certificates" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Government", "Education", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 87, "FileHash-SHA1": 86, "FileHash-SHA256": 136, "domain": 43, "hostname": 6 }, "indicator_count": 415, "is_author": false, "is_subscribing": null, "subscriber_count": 53, "modified_text": "853 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ed65aa7fc09fc7a6a856a", "name": "Government Sector Cyber Threat Intel - Key Insights (March 2022)", "description": "In March, a Transparent Tribe campaign was found targeting the Indian government and military entities. The attacker was infecting victims with CrimsonRAT along with new stagers and implants. Further, the attackers created fake domains mimicking legitimate military and defense organizations.\n\nOther Major Incidents\nCybercriminals identified as Curious Gorge, Ghostwriter APT, and COLDRIVER were targeting NATO and Eastern European countries by launching phishing and malware attacks. Mustang Panda, UNC1151, and SCARAB were using war-related themes to target mostly Ukraine in a spear-phishing campaign. Hong Kong\u2019s electoral office apologized after an employee failed to follow guidelines and sent the personal details of voters to a random email address.", "modified": "2022-05-07T00:03:18.570000", "created": "2022-04-07T12:17:30.675000", "tags": [ "dem0", "pena", "domains", "downloaders", "whatsoevers3r", "navy filename", "sha256", "spear phishing", "campaign rtf", "mshtml", "powershell", "crimsonrat", "Government Sector" ], "references": [], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 43, "URL": 22, "domain": 20, "hostname": 2 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 193, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624afa1411585bad1863aba7", "name": "Transparent Tribe Hacking Group is Back to Target Indian Government and Military", "description": "The Transparent Tribe hacking group is back with a new malware arsenal and victim list including India's government and military. Also tracked as ROJECTM, APT36, and Mythic Leopard, the Transparent Tribe is suspected of being of Pakistani origin.\n\nVictims\nThe APT group is active since at least 2013 and operates in at least 30 countries. However, the APT tends to focus on India and Afghanistan, with the exception being attacks recorded against human rights activists in Pakistan.\n\nLatest campaign\nAn ongoing campaign since at least June 2021 is targeting the Indian government and military bodies. The group uses phishing to deliver maldocs and malicious web domains, which are primarily Windows-based. The fake websites mimic government and defense organizations and serve visitors downloader executables, packaged up to appear to be friendly software, PDFs, or image files.", "modified": "2022-05-04T00:05:07.263000", "created": "2022-04-04T14:00:52.621000", "tags": [ "dem0", "pena", "whatsoevers3r", "iocs maldocs", "downloaders", "crimsonrat", "intermediate", "vhdx", "urls http" ], "references": [ "https://www.zdnet.com/article/transparent-tribe-apt-returns-to-strike-indias-government-and-military/#ftag=RSSbaffb68" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 195, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f4013e477e7e5939336a", "name": "Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T06:09:05.422000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6244361cacf3464c40ff7802", "name": "Transparent Tribe Campaign Uses New Bespoke Malware To Launch Attack", "description": "Transparent Tribe, also known as APT36 and Mythic Leopard continues to create fake domains mimicking legitimate military ad defense organizations. In the latest campaigns, the threat actor have been used multiple delivery methods such as executables masquerading as installers of legitimate applications, archive files and maldocs.", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T10:51:08.515000", "tags": [], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 192, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Provintell-Lab", "id": "112104", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "domain": 6, "hostname": 1 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 254, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62444385c0cc858e1335e4d7", "name": "Transparent Tribe - APT36 using new Bespoke Malware in Campaign", "description": "APT36 using bespoke Malware within their campaigns against Indian Government Officials", "modified": "2022-04-29T00:05:19.794000", "created": "2022-03-30T11:48:21.163000", "tags": [ "APT36", "TransparentTribe", "Mythic Leopard" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "", "targeted_countries": [ "India" ], "malware_families": [ { "id": "Trojan:Win32/CrimsonRat", "display_name": "Trojan:Win32/CrimsonRat", "target": "/malware/Trojan:Win32/CrimsonRat" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "BITSecurity", "id": "103352", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_103352/resized/80/avatar_1540652530.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 244, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6242ff9b09c1a8965f943f00", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "Cisco Talos has observed a new campaign by the Transparent Tribe threat actor targeting Indian government and military entities in the Indian subcontinent, as well as a number of other cyber-espionage operations.", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-29T12:46:19.259000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 18, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 114, "modified_text": "1495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6243f0d43aecb45c5e8747ee", "name": "Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Transparent Tribe campaign uses new bespoke malware to target Indian government officials", "description": "", "modified": "2022-04-28T00:00:15.198000", "created": "2022-03-30T05:55:32.684000", "tags": [ "timeline", "transparent tribe", "sidecopy", "tribe", "crimsonrat", "india", "cisco secure", "june", "dem0", "pena", "rats", "obliquerat", "talos", "kavach", "download", "mark", "february", "keylogger", "write", "desktop", "maldoc", "umbrella", "python" ], "references": [ "https://blog.talosintelligence.com/2022/03/transparent-tribe-new-campaign.html" ], "public": 1, "adversary": "Transparent Tribe", "targeted_countries": [ "Afghanistan", "India" ], "malware_families": [ { "id": "Timeline", "display_name": "Timeline", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": "624321a21f99c3f8abb47ebd", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19, "domain": 7, "FileHash-MD5": 18, "FileHash-SHA1": 18, "FileHash-SHA256": 36, "hostname": 1 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "1495 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "otbmail.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "otbmail.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780283974.294411 }