{ "type": "Domain", "indicator": "packedbrick.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/packedbrick.com", "alexa": "http://www.alexa.com/siteinfo/packedbrick.com", "indicator": "packedbrick.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3988606110, "indicator": "packedbrick.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "295 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6894a499b3cdf94c2bea08bc", "name": "SocGholish Deploy Malware via Parrot and Keitaro TDF Systems", "description": "", "modified": "2025-08-07T13:05:29.821000", "created": "2025-08-07T13:05:29.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 11 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d993ba788ab940f8f08338", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "Trend Research analyzed SocGholish\u2019s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.", "modified": "2025-04-17T15:00:16.410000", "created": "2025-03-18T15:39:37.975000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d5e01e96eaa7672f46852e", "name": "SocGholish's Exploits Aid in the Spread of RansomHub", "description": "", "modified": "2025-04-14T20:00:04.351000", "created": "2025-03-15T20:16:30.957000", "tags": [ "mitigation", "keep", "update siem", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 13, "hostname": 37 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e1155085a0db344a04", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:37.878000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e64aac2aefac16a725", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:42.306000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d408ff22965b4a48ac9ac6", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "A review of the findings of a study on the impact of cyber-attacks on a network of more than 100,000 users in the UK, Ireland, Wales and Northern Ireland (NHS).", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:46:23.236000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a23c5e75e6d05d77815d36", "name": "WordPress Websites Compromised to Deliver Malware", "description": "", "modified": "2025-02-04T16:12:14.760000", "created": "2025-02-04T16:12:14.760000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 16 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "480 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679df7574cc99cee87a41caf", "name": "Large-Scale WordPress Attack Delivers Malware to macOS and Windows", "description": "A threat campaign has compromised 10,000 WordPress sites to deliver malware targeting macOS and Windows.", "modified": "2025-02-01T10:28:39.730000", "created": "2025-02-01T10:28:39.730000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "483 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679b8b4bdf770103aa90a065", "name": "Hackers Use 10,000 WordPress Sites To Deliver Malware To macOS and Microsoft Systems", "description": "A sophisticated cyberattack has compromised over 10,000 WordPress websites, delivering cross-platform malware to unsuspecting users.\n\nThe campaign exploits outdated WordPress versions and plugins, redirecting visitors to fake browser update pages that deploy malicious software targeting both macOS and Windows systems.", "modified": "2025-01-30T14:23:07.732000", "created": "2025-01-30T14:23:07.732000", "tags": [], "references": [ "https://cybersecuritynews.com/hackers-use-10000-wordpress-sites-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "485 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672053f217c4e9d5aa86268c", "name": "Additional TA569 Middleware Infra Observed - Malasada Tech", "description": "Possible upcoming TA569 middleware domains observed. This list includes some IOCs that are already reported elsewhere, and some domains that are indicators of future attack (IoFA).", "modified": "2024-11-06T02:54:26.556000", "created": "2024-10-29T03:18:10.912000", "tags": [ "TA569" ], "references": [ "https://malasada.tech/additional-ta569-middleware-infra-observed/" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "malasada.tech", "id": "277538", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://cybersecuritynews.com/hackers-use-10000-wordpress-sites-to-deliver-malware/", "Malware.pdf", "https://www.silentpush.com/blog/socgholish/", "https://malasada.tech/additional-ta569-middleware-infra-observed/", "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt", "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "related": { "alienvault": { "adversary": [ "GOLD PRELUDE" ], "malware_families": [ "Wastedlocker - s0612", "Lockbit", "Bugat v5", "Netsupportrat", "Mintsloader", "Hades", "Dridex - s0384", "Socgholish", "Raspberry robin" ], "industries": [ "Government", "Healthcare", "Energy", "Technology", "Finance" ] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Wastedlocker - s0612", "Lockbit", "Bugat v5", "Netsupportrat", "Mintsloader", "Hades", "Ransomhub", "Dridex - s0384", "Socgholish", "Raspberry robin" ], "industries": [ "Government", "Healthcare", "Energy", "Technology", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386492, "modified_text": "295 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "266 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6894a499b3cdf94c2bea08bc", "name": "SocGholish Deploy Malware via Parrot and Keitaro TDF Systems", "description": "", "modified": "2025-08-07T13:05:29.821000", "created": "2025-08-07T13:05:29.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 11 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d993ba788ab940f8f08338", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "Trend Research analyzed SocGholish\u2019s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.", "modified": "2025-04-17T15:00:16.410000", "created": "2025-03-18T15:39:37.975000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d5e01e96eaa7672f46852e", "name": "SocGholish's Exploits Aid in the Spread of RansomHub", "description": "", "modified": "2025-04-14T20:00:04.351000", "created": "2025-03-15T20:16:30.957000", "tags": [ "mitigation", "keep", "update siem", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 13, "hostname": 37 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e1155085a0db344a04", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:37.878000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e64aac2aefac16a725", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:42.306000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "packedbrick.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "packedbrick.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211962.8717988 }