{ "type": "Domain", "indicator": "palshona.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/palshona.com", "alexa": "http://www.alexa.com/siteinfo/palshona.com", "indicator": "palshona.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4237399992, "indicator": "palshona.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69c5a04382b357bdc81343b4", "name": "EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons", "description": "EtherRAT, a Node.js-based backdoor linked to a North Korean APT group, was detected in a retail customer's environment. It allows arbitrary command execution, extensive system information gathering, and asset theft. The malware uses 'EtherHiding' to store C2 addresses in Ethereum smart contracts, making infrastructure resilient to takedowns. It communicates using CDN-like beaconing to blend with normal traffic. Initial access varied, including ClickFix and IT Support scams via Microsoft Teams. A SYS_INFO module performs comprehensive host fingerprinting for target selection. The malware checks for CIS languages and self-destructs if found. It collects detailed system information, including hardware, software, and network details.", "modified": "2026-04-25T21:33:36.686000", "created": "2026-03-26T21:08:19.591000", "tags": [ "sys_info module", "backdoor", "cdn-like beaconing", "ethereum", "host fingerprinting", "cis language check", "etherhiding", "node.js", "it support scams", "etherrat" ], "references": [ "https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons" ], "public": 1, "adversary": "North Korean APT group", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Retail", "Business Services", "Software", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "domain": 11, "hostname": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 386460, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b436b99318655032774a0", "name": "EtherRAT Campaign Targeted Enterprise Admins via SEO Poisoning", "description": "", "modified": "2026-05-18T16:50:51.805000", "created": "2026-05-18T16:50:51.805000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 64, "IPv4": 5, "domain": 46 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdcf72325b49520348bb0a", "name": "EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades", "description": "In March 2026, a highly sophisticated cyber threat campaign was discovered by the Atos Threat Research Center, which specifically targets high-privilege IT personnel like enterprise administrators and security analysts. The attackers employ a dual-layered GitHub repository distribution method, leveraging Search Engine Optimization (SEO) poisoning to manipulate search results for administrative utilities, directing victims to malicious MSI installers masquerading as legitimate tools. This approach maximizes the campaign's resilience, allowing the attackers to evade takedown efforts by keeping the malicious code on secondary repositories while the primary facade remains benign and SEO-optimized.", "modified": "2026-05-08T11:56:34.128000", "created": "2026-05-08T11:56:34.128000", "tags": [ "c2 address", "c2 ip", "javascript file", "windows process", "task manager", "ethereum smart", "ethereum api", "ip address", "url path", "run registry", "lazarus", "apt34", "remote access", "msi", "node.js", "tsundere", "utility spoofing", "threat" ], "references": [ "https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 64, "hostname": 17, "domain": 46 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "26 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd4ab845e4c43edd557b92", "name": "EbeeMar2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:41:28.726000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "GhostSocks, Resoker, DeepLoad Malware, Pawn Storm Campaign, St.M.Trojan, CrySome RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 77, "FileHash-MD5": 156, "FileHash-SHA1": 159, "FileHash-SHA256": 186, "CVE": 1, "URL": 19, "email": 6, "hostname": 53 }, "indicator_count": 657, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cd48ce7b65f7a9350024cd", "name": "EbeeMar2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-01T16:15:36.188000", "created": "2026-04-01T16:33:18.540000", "tags": [], "references": [ "IOCs.2026.pdf" ], "public": 1, "adversary": "Keenadu, Poisoned Security Scanner led to Backdooring LiteLLM, HERALD SPIDER, Pay2Key", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 130, "FileHash-SHA1": 145, "FileHash-SHA256": 207, "CVE": 1, "URL": 25, "domain": 285, "email": 4, "hostname": 82 }, "indicator_count": 879, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c9ea43a762412d5daf80dd", "name": "IOC - EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons", "description": "In March 2026, eSentire's Threat Response Unit (TRU) detected EtherRAT in a customer's environment in the Retail industry. EtherRAT is a Node.js-based backdoor reportedly linked by Sysdig to a North Korean advanced persistent threat (APT) group due to significant overlaps with \"Contagious Interview\" tactics, techniques, and procedures (TTPs).", "modified": "2026-04-29T03:09:49.528000", "created": "2026-03-30T03:13:07.224000", "tags": [ "etherrat c2", "domain", "devnull", "command line", "linux", "etherrat stage", "grep", "get gpu", "line", "linuxmacos", "etherrat" ], "references": [ "https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 10, "hostname": 1 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5b5cccffe6a5e0b756741", "name": "Unknown - Tracking", "description": "