{ "type": "Domain", "indicator": "parallelmercywksoffw.shop", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/parallelmercywksoffw.shop", "alexa": "http://www.alexa.com/siteinfo/parallelmercywksoffw.shop", "indicator": "parallelmercywksoffw.shop", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3905073393, "indicator": "parallelmercywksoffw.shop", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 377575, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675d2e0cd183cf5668a88c46", "name": "Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation", "description": "This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remcos, and Rhadamanthys. HeartCrypt injects malicious code into legitimate binaries and employs various obfuscation techniques to hinder analysis. The packer executes in multiple stages, using encoded resources and anti-sandbox measures. Over 2,000 malicious payloads across 45 malware families have utilized HeartCrypt, highlighting the increasing commoditization of malware development and the need for proactive threat hunting.", "modified": "2025-01-13T07:00:01.252000", "created": "2024-12-14T07:04:44.519000", "tags": [ "rhadamanthys", "remcos", "vidar stealer", "xworm", "process hollowing", "anti-sandbox", "heartcrypt", "lummastealer", "redline stealer", "quasar rat", "packer-as-a-service" ], "references": [ "https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/", "https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Spreadsheet-for-samples-using-HeartCrypt.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 78, "FileHash-SHA256": 421, "domain": 129, "hostname": 112 }, "indicator_count": 867, "is_author": false, "is_subscribing": null, "subscriber_count": 377576, "modified_text": "461 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6723f395217b63c2bbdfc819", "name": "Threat actors use copyright infringement phishing lure to deploy infostealers", "description": "An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot domains, short URLs, and Dropbox to deliver information stealers, employing various evasion techniques. The malware includes LummaC2 and Rhadamanthys stealers, which are embedded in legitimate binaries. The campaign specifically targets traditional Chinese speakers and uses well-known company names in Taiwan and Hong Kong to increase credibility. The infection chain involves encrypted archives, fake PDF executables, and sophisticated loaders that employ anti-analysis techniques and ensure persistence on infected systems.", "modified": "2024-11-01T17:25:51.972000", "created": "2024-10-31T21:16:05.513000", "tags": [ "infostealer", "phishing", "facebook", "rhadamanthys", "evasion", "lummac2", "copyright", "taiwan", "obfuscation" ], "references": [ "https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "Taiwan" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [ "Media", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 23, "domain": 35 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 377575, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f59605f2cdb05ecfe52b7", "name": "Threat Intel Report - W14-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.", "modified": "2025-05-28T10:02:27.221000", "created": "2025-04-28T10:33:04.500000", "tags": [ "mozi", "wsgidav", "grouped", "week", "group", "iocs", "turkey", "compromise", "asyncrat", "urls http", "clearfake", "ukraine", "amadey", "remcos", "malware", "date", "indonesia", "uruguay", "telegram", "enterprise", "mark" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 159, "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 17, "domain": 59 }, "indicator_count": 346, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "328 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8d571324a271de986299", "name": "Threat Intel Report - W12-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:42:15.839000", "tags": [ "mozi", "bangladesh", "singapore", "cobaltstrike", "united kingdom", "mozi link", "germany", "france", "china", "turkey", "pink", "indonesia", "clearfake", "ukraine", "panama", "remcos", "asyncrat", "agent tesla", "malware", "date", "snakekeylogger", "masslogger", "mexico", "ransomhub" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 207, "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 19, "CVE": 1, "domain": 43, "hostname": 180 }, "indicator_count": 482, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8df5d1dfcf2ce2fce716", "name": "Threat Intel Report - W13-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:44:53.871000", "tags": [ "mozi", "mozi link", "china", "russia", "microsoft", "windows", "week", "germany", "iocs", "clearfake", "indonesia", "remcos", "asyncrat", "sharepoint", "malware", "date", "mexico", "panama", "amadey", "infostealer", "sparrowdoor", "clop" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Infostealer", "display_name": "Infostealer", "target": null }, { "id": "SparrowDoor", "display_name": "SparrowDoor", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Cryptocurrency", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 264, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 18, "domain": 59, "hostname": 115 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762f4817f67dab73461a184", "name": "TI Advisory No-ESAF-SOC-TI-451- HeartCrypt Packer-as-a-Service Enables Easy Malware Distribution", "description": "The full text of the full report on the events of 7 May 2017:..-. and the details will appear on BBC Radio 5 live and iPlayer on Wednesday, 2 March.", "modified": "2025-01-17T16:02:04.286000", "created": "2024-12-18T16:12:49.523000", "tags": [], "references": [], "public": 1, "adversary": "HeartCrypt Packer-as-a-Service Enables Easy Malware Distribution", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 99, "hostname": 46, "FileHash-MD5": 193, "FileHash-SHA1": 193, "FileHash-SHA256": 193, "URL": 51 }, "indicator_count": 775, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674c9f48cd2a512e28ef6523", "name": "ACTIVIDAD MALICIOSA | Relacionada con LummaStealer 01-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2024-12-31T17:05:00.863000", "created": "2024-12-01T17:39:20.573000", "tags": [ "http", "access", "discovery", "uexfvbqog9i67m", "mmirygls1g", "vt51x7b9cwn7e4x", "v2fnqdfylkobc", "tcticas", "ta0001 initial", "t1003 data" ], "references": [ "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://darfe.es/ciberwiki/index.php?title=Lumma" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1161, "FileHash-SHA1": 1159, "FileHash-SHA256": 1167, "URL": 255, "domain": 665, "hostname": 8 }, "indicator_count": 4415, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672de9e87b6aed420bc96128", "name": "Threat actors use copyright infringement phishing lure to deploy infostealers", "description": "A round-up of the latest research from security firm Cisco Talos, as part of its annual security review, on the subject of copyright infringement and cyber-security, and the threat posed by an unknown threat actor.", "modified": "2024-12-08T10:02:06.586000", "created": "2024-11-08T10:37:28.217000", "tags": [ "threat spotlight", "threats", "redacted", "lummac2", "cisco secure", "rar file", "information", "taiwan", "eps file", "lummac2 stealer", "rhadamanthys", "google", "facebook", "virustotal", "umbrella", "medusalocker" ], "references": [ "https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/refs/heads/main/2024/10/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Taiwan" ], "malware_families": [ { "id": "MedusaLocker", "display_name": "MedusaLocker", "target": null }, { "id": "LummaC2", "display_name": "LummaC2", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [ "Industrial" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 23, "URL": 2, "domain": 35 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "497 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67289dbcf153559e9a657bc4", "name": "Xi\u016b g\u01d2u Phishing Campaign Spreads Across Five Nations", "description": "", "modified": "2024-12-04T10:01:42.870000", "created": "2024-11-04T10:11:08.652000", "tags": [ "urls" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 22, "FileHash-SHA256": 23, "URL": 2, "domain": 497, "hostname": 13 }, "indicator_count": 579, "is_author": false, "is_subscribing": null, "subscriber_count": 485, "modified_text": "501 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6696324b10bd4d2a34d1a1a2", "name": "Threat Intel Report - W26-2024", "description": "This is a cyber-advisory document, presenting the compiled cyber threat intelligence sourced from various channels and tools. \n\nThese are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2024-08-15T08:00:39.221000", "created": "2024-07-16T08:41:47.431000", "tags": [ "mozi", "mozi link", "germany", "week", "poland", "canada", "panama", "urls http", "ukraine", "japan", "remcos", "formbook", "agent tesla", "asyncrat", "xworm" ], "references": [ "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time#a", "https://urlhaus.abuse.ch/browse.php?search=.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 59, "FileHash-SHA1": 59, "FileHash-SHA256": 116, "URL": 96, "domain": 62, "hostname": 104 }, "indicator_count": 496, "is_author": false, "is_subscribing": null, "subscriber_count": 108, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Spreadsheet-for-samples-using-HeartCrypt.csv", "https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/", "https://urlhaus.abuse.ch/browse.php?search=.exe", "https://www.virustotal.com/gui/collection/9419ada66b99877877ab2cbbe22a5e2de65cd18153db39736cb4fe1d06cc1129", "https://urlhaus.abuse.ch/", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/graph/embed/g31920c46027f42a085f0a4040c4609fcccba0ba580b3451893964f393d84ac65?theme=dark", "https://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time#a", "https://raw.githubusercontent.com/Cisco-Talos/IOCs/refs/heads/main/2024/10/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers.txt", "https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/", "https://threatfox.abuse.ch/export/csv/recent/", "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6", "https://any.run/malware-trends/", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "related": { "alienvault": { "adversary": [ "Lumma Stealer" ], "malware_families": [ "Vidar stealer", "Quasar rat", "Rhadamanthys", "Lumma stealer", "Lummastealer", "Redline stealer", "Xworm", "Lummac2", "Remcos" ], "industries": [ "Media", "Technology" ] }, "other": { "adversary": [ "HeartCrypt Packer-as-a-Service Enables Easy Malware Distribution" ], "malware_families": [ "Ransomhub", "Lumma", "Lumma stealer", "Lummac2", "Medusalocker", "Clop", "Bitsight", "Infostealer", "Sparrowdoor" ], "industries": [ "Industrial", "Cryptocurrency", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "682e5bb94e2f4e75be640cb5", "name": "Lumma Stealer is Out... of business!", "description": "A coordinated action led by Microsoft's Digital Crimes Unit, with participation from Bitsight and other partners, has successfully dismantled the operational capabilities of Lumma Stealer (LummaC2), a prominent information stealer operating since late 2022. The operation involved seizing over 1,000 domains and shutting down more than 90 Telegram channels and Steam profiles associated with the malware's infrastructure. LummaC2, which gained popularity after the takedown of Redline and Meta stealers, targeted Windows systems to extract sensitive data from various applications. The malware employed a complex, multi-tiered command and control infrastructure, using multiple domains, Steam profiles, and Telegram channels for resilience. This disruptive action is expected to significantly impact the threat landscape and hinder criminal activities in the malware scene.", "modified": "2025-05-22T07:11:18.344000", "created": "2025-05-21T23:03:21.624000", "tags": [ "lummac", "infrastructure takedown", "information stealer", "lummac2", "redline", "multi-tiered c2", "malware-as-a-service", "data theft" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business" ], "public": 1, "adversary": "Lumma Stealer", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 60, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1129, "hostname": 3 }, "indicator_count": 1132, "is_author": false, "is_subscribing": null, "subscriber_count": 377575, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "675d2e0cd183cf5668a88c46", "name": "Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation", "description": "This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remcos, and Rhadamanthys. HeartCrypt injects malicious code into legitimate binaries and employs various obfuscation techniques to hinder analysis. The packer executes in multiple stages, using encoded resources and anti-sandbox measures. Over 2,000 malicious payloads across 45 malware families have utilized HeartCrypt, highlighting the increasing commoditization of malware development and the need for proactive threat hunting.", "modified": "2025-01-13T07:00:01.252000", "created": "2024-12-14T07:04:44.519000", "tags": [ "rhadamanthys", "remcos", "vidar stealer", "xworm", "process hollowing", "anti-sandbox", "heartcrypt", "lummastealer", "redline stealer", "quasar rat", "packer-as-a-service" ], "references": [ "https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/", "https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Spreadsheet-for-samples-using-HeartCrypt.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "RedLine Stealer", "display_name": "RedLine Stealer", "target": null }, { "id": "Vidar Stealer", "display_name": "Vidar Stealer", "target": null }, { "id": "XWorm", "display_name": "XWorm", "target": null } ], "attack_ids": [ { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 127, "FileHash-SHA1": 78, "FileHash-SHA256": 421, "domain": 129, "hostname": 112 }, "indicator_count": 867, "is_author": false, "is_subscribing": null, "subscriber_count": 377576, "modified_text": "461 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6723f395217b63c2bbdfc819", "name": "Threat actors use copyright infringement phishing lure to deploy infostealers", "description": "An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot domains, short URLs, and Dropbox to deliver information stealers, employing various evasion techniques. The malware includes LummaC2 and Rhadamanthys stealers, which are embedded in legitimate binaries. The campaign specifically targets traditional Chinese speakers and uses well-known company names in Taiwan and Hong Kong to increase credibility. The infection chain involves encrypted archives, fake PDF executables, and sophisticated loaders that employ anti-analysis techniques and ensure persistence on infected systems.", "modified": "2024-11-01T17:25:51.972000", "created": "2024-10-31T21:16:05.513000", "tags": [ "infostealer", "phishing", "facebook", "rhadamanthys", "evasion", "lummac2", "copyright", "taiwan", "obfuscation" ], "references": [ "https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/" ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "Taiwan" ], "malware_families": [ { "id": "LummaC2", "display_name": "LummaC2", "target": null }, { "id": "Rhadamanthys", "display_name": "Rhadamanthys", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027.001", "name": "Binary Padding", "display_name": "T1027.001 - Binary Padding" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [ "Media", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 23, "domain": 35 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 377575, "modified_text": "534 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680f59605f2cdb05ecfe52b7", "name": "Threat Intel Report - W14-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools.", "modified": "2025-05-28T10:02:27.221000", "created": "2025-04-28T10:33:04.500000", "tags": [ "mozi", "wsgidav", "grouped", "week", "group", "iocs", "turkey", "compromise", "asyncrat", "urls http", "clearfake", "ukraine", "amadey", "remcos", "malware", "date", "indonesia", "uruguay", "telegram", "enterprise", "mark" ], "references": [ "https://any.run/malware-trends/", "https://urlhaus.abuse.ch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 85, "URL": 159, "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 17, "domain": 59 }, "indicator_count": 346, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68340f42d5f7a341e8ad88e7", "name": "Lumma Stealer Shutdown: Global Takedown Disrupts Prolific Cybercrime Tool", "description": "A coordinated international operation led by Microsoft\u2019s Digital Crimes Unit (DCU), the U.S. Department of Justice (DOJ), Europol, and partners has dismantled the infrastructure of Lumma Stealer, a notorious Malware-as-a-Service (MaaS) platform linked to over 10 million infections and 1.7 million confirmed attacks globally. The action, announced in May 2025, resulted in the seizure of 2,300 malicious domains, sinkholing of traffic to Microsoft-controlled servers, and the suspension of Lumma\u2019s Telegram-based affiliate marketplace, crippling its ability to steal sensitive data like passwords, cryptocurrency wallets, and MFA tokens 311.\n\nLumma, developed by Russian threat actor \"Shamel,\" operated under a subscription model ($250\u2013$20,000) and was distributed via phishing campaigns, malvertising, and trojanized software. Its evasion tactics\u2014such as abuse of legitimate cloud services, encrypted C2 communications, and geofenced payloads\u2014made it a preferred tool for ransomware affiliates and credential harvesters.", "modified": "2025-05-26T06:50:42.505000", "created": "2025-05-26T06:50:42.505000", "tags": [ "lummac2", "bitsight", "windows", "steam profile", "lummac2 iocs", "lumma stealer", "malware", "redline", "meta", "bitsight trace", "telegram", "steam", "service", "lumma" ], "references": [ "https://www.bitsight.com/blog/lumma-stealer-is-out-of-business", "https://raw.githubusercontent.com/bitsight-research/threat_research/refs/heads/main/lumma/lumma_iocs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Bitsight", "display_name": "Bitsight", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1135, "hostname": 3, "URL": 97 }, "indicator_count": 1235, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "328 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8d571324a271de986299", "name": "Threat Intel Report - W12-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:42:15.839000", "tags": [ "mozi", "bangladesh", "singapore", "cobaltstrike", "united kingdom", "mozi link", "germany", "france", "china", "turkey", "pink", "indonesia", "clearfake", "ukraine", "panama", "remcos", "asyncrat", "agent tesla", "malware", "date", "snakekeylogger", "masslogger", "mexico", "ransomhub" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 207, "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 19, "CVE": 1, "domain": 43, "hostname": 180 }, "indicator_count": 482, "is_author": false, "is_subscribing": null, "subscriber_count": 105, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8df5d1dfcf2ce2fce716", "name": "Threat Intel Report - W13-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:44:53.871000", "tags": [ "mozi", "mozi link", "china", "russia", "microsoft", "windows", "week", "germany", "iocs", "clearfake", "indonesia", "remcos", "asyncrat", "sharepoint", "malware", "date", "mexico", "panama", "amadey", "infostealer", "sparrowdoor", "clop" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Infostealer", "display_name": "Infostealer", "target": null }, { "id": "SparrowDoor", "display_name": "SparrowDoor", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" } ], "industries": [ "Cryptocurrency", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 264, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 18, "domain": 59, "hostname": 115 }, "indicator_count": 480, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "350 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6762f4817f67dab73461a184", "name": "TI Advisory No-ESAF-SOC-TI-451- HeartCrypt Packer-as-a-Service Enables Easy Malware Distribution", "description": "The full text of the full report on the events of 7 May 2017:..-. and the details will appear on BBC Radio 5 live and iPlayer on Wednesday, 2 March.", "modified": "2025-01-17T16:02:04.286000", "created": "2024-12-18T16:12:49.523000", "tags": [], "references": [], "public": 1, "adversary": "HeartCrypt Packer-as-a-Service Enables Easy Malware Distribution", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 99, "hostname": 46, "FileHash-MD5": 193, "FileHash-SHA1": 193, "FileHash-SHA256": 193, "URL": 51 }, "indicator_count": 775, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67617edafa11fa408b73322c", "name": "ACTIVIDAD MALICIOSA | Relacionada con Lumma Stealer 17-12-2024", "description": "Lumma Stealer es un tipo de software malicioso dise\u00f1ado para robar informaci\u00f3n confidencial de los dispositivos infectados. Este malware se infiltra en los sistemas y extrae datos personales, como nombres de usuario, contrase\u00f1as, informaci\u00f3n bancaria y detalles de tarjetas de cr\u00e9dito. LummaStealer puede afectar varias cuentas, incluidas redes sociales, correos electr\u00f3nicos y monederos de criptomonedas. Los delincuentes pueden usar la informaci\u00f3n robada para chantaje, suplantaci\u00f3n de identidad, y realizar transacciones fraudulentas, lo que puede causar serios problemas de privacidad y p\u00e9rdidas econ\u00f3micas significativas para las v\u00edctimas.", "modified": "2025-01-16T13:03:38.406000", "created": "2024-12-17T13:38:34.760000", "tags": [ "access", "discovery", "ta0001 initial", "t1003 data", "local system", "t1033 system", "t1057 process", "t1082 system", "t1087 account" ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Lumma", "https://www.virustotal.com/graph/embed/gec57b97e0f194fd38738be6392abba6f180fe9d93be24891af76fb2c7bec3638?theme=dark", "https://www.virustotal.com/gui/collection/bf70caf191025dfa3e68e8bc63882880ae2ca60f72ece512aaee246b487c5ad6" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 25, "FileHash-SHA256": 27, "URL": 301, "domain": 665, "hostname": 8 }, "indicator_count": 1052, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "458 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "parallelmercywksoffw.shop", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "parallelmercywksoffw.shop", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776642583.454396 }