{ "type": "Domain", "indicator": "pakgov.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pakgov.net", "alexa": "http://www.alexa.com/siteinfo/pakgov.net", "indicator": "pakgov.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3355733166, "indicator": "pakgov.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "62a076d2745cb59ef9e436de", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article named \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the linked article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.", "modified": "2022-07-08T00:00:52.441000", "created": "2022-06-08T10:15:45.337000", "tags": [ "aptq37", "aptq41", "aptq39", "manling flower", "aptq42", "tengyun snake", "maya elephant", "rattlesnake", "artradownloader", "muuydownloader" ], "references": [ "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "public": 1, "adversary": "APT-Q-41", "targeted_countries": [], "malware_families": [ { "id": "ArtraDownloader", "display_name": "ArtraDownloader", "target": null }, { "id": "MuuyDownLoader", "display_name": "MuuyDownLoader", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 352, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 37, "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386500, "modified_text": "1423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62987c8eafd38f2088986035", "name": "Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T09:02:05.981000", "tags": [ "sidewinder", "pakistan", "apt" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [ "Military", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 475, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 2, "hostname": 88 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 386501, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e18660f39e12f266e1e0ab", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the end of the article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year. facilities to share.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-27T18:39:28.851000", "tags": [ "strong", "dde auto", "operation", "aptq37", "chmdde", "research", "tejas", "2021 operation", "magichmchm", "118828570" ], "references": [ "https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1, "domain": 37 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e186aa339d0684cbc7834c", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the end of the article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year. facilities to share.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-27T18:40:42.685000", "tags": [ "strong", "dde auto", "operation", "aptq37", "chmdde", "research", "tejas", "2021 operation", "magichmchm", "118828570" ], "references": [ "https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1, "domain": 37 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a0978fd32c60af66cd36b7", "name": "RattleSnake/BITTER IOCs", "description": "The Red Raindrop Team shares details of the recent attacks by the Cranium group and the Rattlesnake group in South Asia, as well as the previous article, which was published in 2021.", "modified": "2022-07-08T00:00:52.441000", "created": "2022-06-08T12:35:27.801000", "tags": [ "url http", "aptq39", "rattlesnake", "msi", "cranium", "dde auto", "md5 type", "bait", "moyle elephant", "decoy", "artradownloader", "south asia", "cranes", "aptq41", "april", "phishing", "trojan", "drop", "february" ], "references": [ "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "public": 1, "adversary": "Cranium", "targeted_countries": [ "Pakistan", "Bangladesh" ], "malware_families": [ { "id": "MSI", "display_name": "MSI", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 37, "URL": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 890, "modified_text": "1427 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62985f3690ace88f8dca0c6d", "name": "SideWinder AntiBot Script | Group-IB", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T06:56:54.767000", "tags": [ "sidewinder", "strong", "mimicry", "pakistan", "groupib", "screenshot", "groupib threat", "pakistani", "image", "intelligence", "team", "kill", "powershell", "canvas", "date" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 490, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 8, "email": 1, "hostname": 103 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61e1269c108accf8c054c15d", "name": "NewDom-4-20220114", "description": "ICANN-Dom", "modified": "2022-02-28T00:02:07.729000", "created": "2022-01-14T07:30:36.962000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://blog.group-ib.com/sidewinder-antibot", "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg", "https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/", "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "related": { "alienvault": { "adversary": [ "SideWinder", "APT-Q-41" ], "malware_families": [ "Muuydownloader", "Artradownloader" ], "industries": [ "Government", "Finance", "Military" ] }, "other": { "adversary": [ "SideWinder", "Cranium" ], "malware_families": [ "Msi" ], "industries": [ "Government", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "62a076d2745cb59ef9e436de", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article named \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the linked article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year.", "modified": "2022-07-08T00:00:52.441000", "created": "2022-06-08T10:15:45.337000", "tags": [ "aptq37", "aptq41", "aptq39", "manling flower", "aptq42", "tengyun snake", "maya elephant", "rattlesnake", "artradownloader", "muuydownloader" ], "references": [ "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "public": 1, "adversary": "APT-Q-41", "targeted_countries": [], "malware_families": [ { "id": "ArtraDownloader", "display_name": "ArtraDownloader", "target": null }, { "id": "MuuyDownLoader", "display_name": "MuuyDownLoader", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 352, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 37, "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386500, "modified_text": "1423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62987c8eafd38f2088986035", "name": "Analysis of SideWinder's new infrastructure and tool that narrows their reach to Pakistan", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T09:02:05.981000", "tags": [ "sidewinder", "pakistan", "apt" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" } ], "industries": [ "Military", "Government", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 341, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 475, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 2, "hostname": 88 }, "indicator_count": 572, "is_author": false, "is_subscribing": null, "subscriber_count": 386501, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708f66513978034c1c91b0", "name": "Undefined Name", "description": "", "modified": "2023-12-06T15:12:38.363000", "created": "2023-12-06T15:12:38.363000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 256, "domain": 159, "FileHash-MD5": 179, "FileHash-SHA1": 168, "URL": 96, "IPv4": 85, "hostname": 21 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e18660f39e12f266e1e0ab", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the end of the article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year. facilities to share.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-27T18:39:28.851000", "tags": [ "strong", "dde auto", "operation", "aptq37", "chmdde", "research", "tejas", "2021 operation", "magichmchm", "118828570" ], "references": [ "https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1, "domain": 37 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62e186aa339d0684cbc7834c", "name": "Operation Tejas: A dying elephant curled up in the Kunlun Mountains", "description": "Qi Anxin Threat Intelligence Center once published the article \"Operation Magichm: A Brief Talk on the Manlinghua Organization's CHM File Delivery and Follow-up Operations\" in 2021 . In addition to the new attack methods and samples used in the latest attack in April, the end of the article will also provide an overview of the recent phishing activities of the Maya Elephant (APT-Q-41) and the basics of the Diamondback (APT-Q-39) this year. facilities to share.", "modified": "2022-08-27T00:02:51.006000", "created": "2022-07-27T18:40:42.685000", "tags": [ "strong", "dde auto", "operation", "aptq37", "chmdde", "research", "tejas", "2021 operation", "magichmchm", "118828570" ], "references": [ "https://ti.qianxin.com/blog/articles/operation-tejas-a-dead-elephant-curled-up-in-the-kunlun-mountains/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "URL": 1, "domain": 37 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 354, "modified_text": "1373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a240e3ecd94ddae472eb6a", "name": "test", "description": "", "modified": "2022-07-09T00:01:52.431000", "created": "2022-06-09T18:50:11.481000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "626d6d47f6da18014c30df7e", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "threatmanager", "id": "74623", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 179, "FileHash-SHA1": 168, "FileHash-SHA256": 256, "domain": 159, "IPv4": 85, "hostname": 21, "URL": 96 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 510, "modified_text": "1422 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a0978fd32c60af66cd36b7", "name": "RattleSnake/BITTER IOCs", "description": "The Red Raindrop Team shares details of the recent attacks by the Cranium group and the Rattlesnake group in South Asia, as well as the previous article, which was published in 2021.", "modified": "2022-07-08T00:00:52.441000", "created": "2022-06-08T12:35:27.801000", "tags": [ "url http", "aptq39", "rattlesnake", "msi", "cranium", "dde auto", "md5 type", "bait", "moyle elephant", "decoy", "artradownloader", "south asia", "cranes", "aptq41", "april", "phishing", "trojan", "drop", "february" ], "references": [ "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "public": 1, "adversary": "Cranium", "targeted_countries": [ "Pakistan", "Bangladesh" ], "malware_families": [ { "id": "MSI", "display_name": "MSI", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 22, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 37, "URL": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "1423 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 890, "modified_text": "1427 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62985f3690ace88f8dca0c6d", "name": "SideWinder AntiBot Script | Group-IB", "description": "Researchers from Group-IB Threat Intelligence have discovered a new malicious infrastructure and a custom tool of the Indian nation-state cyber-attack group SideWinder, which has been targeting Pakistani targets since 2012.", "modified": "2022-07-02T00:05:39.094000", "created": "2022-06-02T06:56:54.767000", "tags": [ "sidewinder", "strong", "mimicry", "pakistan", "groupib", "screenshot", "groupib threat", "pakistani", "image", "intelligence", "team", "kill", "powershell", "canvas", "date" ], "references": [ "https://blog.group-ib.com/sidewinder-antibot" ], "public": 1, "adversary": "SideWinder", "targeted_countries": [ "China", "Singapore", "Bangladesh", "Philippines", "Myanmar", "Bhutan", "Sri Lanka", "Nepal", "Afghanistan", "Pakistan" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Military", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bluewatcher", "id": "174522", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 490, "FileHash-MD5": 1, "FileHash-SHA1": 5, "FileHash-SHA256": 1, "domain": 8, "email": 1, "hostname": 103 }, "indicator_count": 609, "is_author": false, "is_subscribing": null, "subscriber_count": 112, "modified_text": "1429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61e1269c108accf8c054c15d", "name": "NewDom-4-20220114", "description": "ICANN-Dom", "modified": "2022-02-28T00:02:07.729000", "created": "2022-01-14T07:30:36.962000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1553 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pakgov.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pakgov.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780216058.0705328 }