{ "type": "Domain", "indicator": "parapcc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/parapcc.com", "alexa": "http://www.alexa.com/siteinfo/parapcc.com", "indicator": "parapcc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4203701232, "indicator": "parapcc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "698cae5f4cea1bd87e41f4a4", "name": "The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "A widespread campaign is distributing the RenEngine loader malware disguised as pirated games and software. The loader uses a modified Ren'Py game engine to deliver payloads like Lumma and ACR stealers. It employs sophisticated techniques including sandbox evasion, process injection, and modular design. The infection chain involves decrypting and launching malicious code through legitimate applications. RenEngine has affected users globally, with Russia, Brazil, Turkey, Spain and Germany most impacted. The campaign highlights risks of pirated software and the need for robust security measures.", "modified": "2026-02-11T21:46:24.463000", "created": "2026-02-11T16:29:19.424000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 377518, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980ffaebc222344f6a6be6", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:40:42.022000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 779, "domain": 349, "hostname": 8 }, "indicator_count": 3399, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980ffdaedd34bd0fe0eb0c", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:40:45.101000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 779, "domain": 349, "hostname": 8 }, "indicator_count": 3399, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993d26676219322b9471772", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-19T02:19:36.978000", "created": "2026-02-17T02:28:54.170000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 777, "domain": 349, "hostname": 8 }, "indicator_count": 3397, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993d269cbc34c7e0a0c9c03", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-19T02:19:36.978000", "created": "2026-02-17T02:28:57.393000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 777, "domain": 349, "hostname": 8 }, "indicator_count": 3397, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f21fd2a5a6057c5793c63", "name": "iocsssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:07:09.248000", "tags": [ "hashmd5", "hashsha1", "hashsha256", "domain", "url https", "ip address" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 728, "domain": 348, "hostname": 8 }, "indicator_count": 3346, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992a5c80239e3db1af8969b", "name": "The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "", "modified": "2026-02-16T05:06:16.451000", "created": "2026-02-16T05:06:16.451000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "698cae5f4cea1bd87e41f4a4", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d41a5d46deb849eb2d3e9", "name": "IOC - The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "", "modified": "2026-02-12T02:57:41.339000", "created": "2026-02-12T02:57:41.339000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "698cae5f4cea1bd87e41f4a4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/", "IOCs2.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "698cae5f4cea1bd87e41f4a4", "name": "The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "A widespread campaign is distributing the RenEngine loader malware disguised as pirated games and software. The loader uses a modified Ren'Py game engine to deliver payloads like Lumma and ACR stealers. It employs sophisticated techniques including sandbox evasion, process injection, and modular design. The infection chain involves decrypting and launching malicious code through legitimate applications. RenEngine has affected users globally, with Russia, Brazil, Turkey, Spain and Germany most impacted. The campaign highlights risks of pirated software and the need for robust security measures.", "modified": "2026-02-11T21:46:24.463000", "created": "2026-02-11T16:29:19.424000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 377518, "modified_text": "66 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980ffaebc222344f6a6be6", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:40:42.022000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 779, "domain": 349, "hostname": 8 }, "indicator_count": 3399, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69980ffdaedd34bd0fe0eb0c", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-22T07:13:11.297000", "created": "2026-02-20T07:40:45.101000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 779, "domain": 349, "hostname": 8 }, "indicator_count": 3399, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993d26676219322b9471772", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-19T02:19:36.978000", "created": "2026-02-17T02:28:54.170000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 777, "domain": 349, "hostname": 8 }, "indicator_count": 3397, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993d269cbc34c7e0a0c9c03", "name": "TI Advisory No-ESAF-SOC-TI-2026-163", "description": "", "modified": "2026-03-19T02:19:36.978000", "created": "2026-02-17T02:28:57.393000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 21, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 777, "domain": 349, "hostname": 8 }, "indicator_count": 3397, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698f21fd2a5a6057c5793c63", "name": "iocsssssssssssssssssssssssss", "description": "", "modified": "2026-03-15T13:34:50.742000", "created": "2026-02-13T13:07:09.248000", "tags": [ "hashmd5", "hashsha1", "hashsha256", "domain", "url https", "ip address" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 1121, "FileHash-SHA1": 1121, "FileHash-SHA256": 728, "domain": 348, "hostname": 8 }, "indicator_count": 3346, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "35 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699fc0513ab49ceb22c6d96b", "name": "TCS IOC", "description": "", "modified": "2026-02-26T03:38:57.799000", "created": "2026-02-26T03:38:57.799000", "tags": [ "https", "f https", "msgtype1", "http", "apiv2init" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "myerioc72", "id": "364999", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 22, "URL": 249, "FileHash-MD5": 242, "FileHash-SHA1": 337, "FileHash-SHA256": 322, "domain": 811, "hostname": 124 }, "indicator_count": 2107, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "52 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6992a5c80239e3db1af8969b", "name": "The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "", "modified": "2026-02-16T05:06:16.451000", "created": "2026-02-16T05:06:16.451000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "698cae5f4cea1bd87e41f4a4", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "62 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698d41a5d46deb849eb2d3e9", "name": "IOC - The game is over: when \u201cfree\u201d comes at too high a price. What we know about RenEngine", "description": "", "modified": "2026-02-12T02:57:41.339000", "created": "2026-02-12T02:57:41.339000", "tags": [ "loader", "lumma", "vidar", "renengine", "ren'py", "acr stealer", "stealer", "pirated games", "process injection", "hijackloader" ], "references": [ "https://securelist.com/renengine-campaign-with-hijackloader-lumma-and-acr-stealer/118891/" ], "public": 1, "adversary": "", "targeted_countries": [ "Brazil", "Germany", "Russian Federation", "Spain" ], "malware_families": [], "attack_ids": [ { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.012", "name": "Process Hollowing", "display_name": "T1055.012 - Process Hollowing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" } ], "industries": [], "TLP": "white", "cloned_from": "698cae5f4cea1bd87e41f4a4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "domain": 16 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "66 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "parapcc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "parapcc.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776613045.5656657 }