{ "type": "Domain", "indicator": "parkspringshotel.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/parkspringshotel.com", "alexa": "http://www.alexa.com/siteinfo/parkspringshotel.com", "indicator": "parkspringshotel.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4356948580, "indicator": "parkspringshotel.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fbb11d210e2ceeb355dc2", "name": "IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus", "description": "Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.", "modified": "2026-05-22T02:10:25.863000", "created": "2026-05-22T02:10:25.863000", "tags": [ "windows", "linux", "c dropper", "pyarmor bot", "pyarmor runtime", "wdac ci", "linux payload", "linux suid", "c2 url", "active c2", "c2 ip" ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "IPv4": 2, "URL": 3, "domain": 3 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03d30ebc255def6c27747a", "name": "Twitter Feed - thomasklemenc - 12-05-2026", "description": "", "modified": "2026-05-13T01:25:34.534000", "created": "2026-05-13T01:25:34.534000", "tags": [ "RAT", "malware" ], "references": [ "https://x.com/thomasklemenc/status/2052715025450598904" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8, "domain": 5, "IPv4": 1, "FileHash-SHA256": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack", "https://x.com/thomasklemenc/status/2052715025450598904" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69c081afa2bd54a9599b7c07", "name": "PhishDestroy \u2014 Active Phishing & Crypto Scam Domains", "description": "Real-time feed of phishing, crypto drainer, and scam domains detected by PhishDestroy (phishdestroy.io). Updated hourly. 108K+ domains tracked, 55K+ currently active. Source: github.com/phishdestroy/destroylist", "modified": "2026-05-24T00:00:03.049000", "created": "2026-03-22T23:56:29.438000", "tags": [ "phishing", "crypto", "scam", "drainer", "fraud", "blocklist", "phishdestroy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "phishdestroy", "id": "348394", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 93266, "hostname": 57600 }, "indicator_count": 150866, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fbb11d210e2ceeb355dc2", "name": "IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus", "description": "Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.", "modified": "2026-05-22T02:10:25.863000", "created": "2026-05-22T02:10:25.863000", "tags": [ "windows", "linux", "c dropper", "pyarmor bot", "pyarmor runtime", "wdac ci", "linux payload", "linux suid", "c2 url", "active c2", "c2 ip" ], "references": [ "https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 10, "IPv4": 2, "URL": 3, "domain": 3 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03d30ebc255def6c27747a", "name": "Twitter Feed - thomasklemenc - 12-05-2026", "description": "", "modified": "2026-05-13T01:25:34.534000", "created": "2026-05-13T01:25:34.534000", "tags": [ "RAT", "malware" ], "references": [ "https://x.com/thomasklemenc/status/2052715025450598904" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8, "domain": 5, "IPv4": 1, "FileHash-SHA256": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03bf4773b48c0ba5708a9c", "name": "hjkhhkjhjhkhkj", "description": "The following is the full text of the text-based code that has been used to identify and identify people using the word \"deepseek\" as a means of identifying and identifying them from the public.", "modified": "2026-05-13T00:01:11.186000", "created": "2026-05-13T00:01:11.186000", "tags": [ "indicator name", "ydznvjljcz6f7", "kpuspriyonews" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 153, "FileHash-MD5": 186, "FileHash-SHA1": 85, "FileHash-SHA256": 81, "IPv4": 657, "domain": 211, "hostname": 561 }, "indicator_count": 1934, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "parkspringshotel.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "parkspringshotel.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780184955.3279295 }