{ "type": "Domain", "indicator": "parcel-delivery.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/parcel-delivery.net", "alexa": "http://www.alexa.com/siteinfo/parcel-delivery.net", "indicator": "parcel-delivery.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3902388486, "indicator": "parcel-delivery.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6859c8ef916c064a0466ab46", "name": "Host Long and Prosper: Uncovering Crypto Exchange Phishing Infrastructure via Prospero Networks.", "description": "A detailed threat hunting investigation into Prospero Networks (AS 200593) reveals a large-scale cryptocurrency exchange impersonation campaign. The analysis identifies over 200 malicious indicators across multiple ASNs, including fake crypto exchanges using names like \"Yukitale\" and \"cryptavex.\" The research demonstrates advanced hunting techniques using DNS data and header analysis to uncover fresh, unreported infrastructure hosting phishing sites targeting crypto users, banking customers, and streaming services. The campaign spans multiple themes including cryptocurrency, Netflix/streaming, banking, and logistics phishing, with evidence suggesting coordination by Ukrainian threat actors.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:36:47.688000", "tags": [ "validin", "prospero", "ip blocks", "first", "february", "host", "domains", "crypto", "shiping", "logistics", "cluster" ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Prospero", "display_name": "Prospero", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "FileHash-MD5": 1, "domain": 178, "URL": 97, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 287, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a039f950816e8095349bf1", "name": "AS29522 related (8 months)", "description": "", "modified": "2024-08-23T00:06:48.764000", "created": "2024-07-23T23:17:13.849000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4683, "hostname": 4547 }, "indicator_count": 9231, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6664bf3fd95299157d7172fe", "name": "cyberfolks.pl", "description": "", "modified": "2024-06-08T20:29:51.204000", "created": "2024-06-08T20:29:51.204000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2855, "hostname": 2271 }, "indicator_count": 5126, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "721 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Prospero" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6859c8ef916c064a0466ab46", "name": "Host Long and Prosper: Uncovering Crypto Exchange Phishing Infrastructure via Prospero Networks.", "description": "A detailed threat hunting investigation into Prospero Networks (AS 200593) reveals a large-scale cryptocurrency exchange impersonation campaign. The analysis identifies over 200 malicious indicators across multiple ASNs, including fake crypto exchanges using names like \"Yukitale\" and \"cryptavex.\" The research demonstrates advanced hunting techniques using DNS data and header analysis to uncover fresh, unreported infrastructure hosting phishing sites targeting crypto users, banking customers, and streaming services. The campaign spans multiple themes including cryptocurrency, Netflix/streaming, banking, and logistics phishing, with evidence suggesting coordination by Ukrainian threat actors.", "modified": "2025-07-23T21:02:57.552000", "created": "2025-06-23T21:36:47.688000", "tags": [ "validin", "prospero", "ip blocks", "first", "february", "host", "domains", "crypto", "shiping", "logistics", "cluster" ], "references": [ "https://open.substack.com/pub/intelinsights/p/host-long-and-prosper?utm_source=share&utm_medium=android&r=5l6xoe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Prospero", "display_name": "Prospero", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "FileHash-MD5": 1, "domain": 178, "URL": 97, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 287, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a039f950816e8095349bf1", "name": "AS29522 related (8 months)", "description": "", "modified": "2024-08-23T00:06:48.764000", "created": "2024-07-23T23:17:13.849000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 4683, "hostname": 4547 }, "indicator_count": 9231, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6664bf3fd95299157d7172fe", "name": "cyberfolks.pl", "description": "", "modified": "2024-06-08T20:29:51.204000", "created": "2024-06-08T20:29:51.204000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Poland" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2855, "hostname": 2271 }, "indicator_count": 5126, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "721 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "parcel-delivery.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "parcel-delivery.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780224253.3428352 }