{ "type": "Domain", "indicator": "pefile.directory", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pefile.directory", "alexa": "http://www.alexa.com/siteinfo/pefile.directory", "indicator": "pefile.directory", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3817112444, "indicator": "pefile.directory", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6861a5d05c5fc6fc4fefee3d", "name": "Threat Actors abuse signed ConnectWise application as malware builder", "description": "Since March 2025, there has been a notable rise in malware infections utilizing validly signed ConnectWise software, indicative of bad signing practices exploited by threat actors. This trend is linked to a resurgence of abuse surrounding two vulnerabilities identified in February 2024, specifically CVE-2024-1708 and CVE-2024-1709. The current wave of malicious activities is attributable to a new strain of malware, termed \"EvilConwi\", which leverages these valid signatures to distribute fraudulent applications. Victims often report infections originating from phishing emails that lead to fake pages masquerading as legitimate applications. For instance, one prevalent scenario involved a user clicking on a OneDrive link that redirected them to a Canva page hiding a malicious ConnectWise installer within a download. Reports indicate that users experience symptoms such as their mouse moving erratically and fake Windows Update prompts during active remote connections, signaling a compromise.", "modified": "2025-06-29T20:45:04.278000", "created": "2025-06-29T20:45:04.278000", "tags": [ "connectwise", "value", "windows update", "g data", "supportaccess", "accesssupport", "fake", "sample", "authenticode", "little", "june", "february", "facebook", "unknown", "dump", "silent", "launch", "back" ], "references": [ "https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 29, "YARA": 1, "domain": 4 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "337 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6592ce3555a1ef14aecd0a1e", "name": "data559", "description": "The following is the full text of the InvisiMole malware decrypting the RC2CL andRC2FM modules from a DLL wrapper, following the work of security firm ESET.", "modified": "2024-01-01T14:37:41.571000", "created": "2024-01-01T14:37:41.571000", "tags": [ "rc2clsize", "rc2fmsize", "rc2cloffset", "rc2fmoffset", "eset", "this software", "including", "but not", "limited to", "data", "code", "rc2fm", "direct", "dword" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arwinisarockstar15", "id": "266693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "883 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6861a5d05c5fc6fc4fefee3d", "name": "Threat Actors abuse signed ConnectWise application as malware builder", "description": "Since March 2025, there has been a notable rise in malware infections utilizing validly signed ConnectWise software, indicative of bad signing practices exploited by threat actors. This trend is linked to a resurgence of abuse surrounding two vulnerabilities identified in February 2024, specifically CVE-2024-1708 and CVE-2024-1709. The current wave of malicious activities is attributable to a new strain of malware, termed \"EvilConwi\", which leverages these valid signatures to distribute fraudulent applications. Victims often report infections originating from phishing emails that lead to fake pages masquerading as legitimate applications. For instance, one prevalent scenario involved a user clicking on a OneDrive link that redirected them to a Canva page hiding a malicious ConnectWise installer within a download. Reports indicate that users experience symptoms such as their mouse moving erratically and fake Windows Update prompts during active remote connections, signaling a compromise.", "modified": "2025-06-29T20:45:04.278000", "created": "2025-06-29T20:45:04.278000", "tags": [ "connectwise", "value", "windows update", "g data", "supportaccess", "accesssupport", "fake", "sample", "authenticode", "little", "june", "february", "facebook", "unknown", "dump", "silent", "launch", "back" ], "references": [ "https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.006", "name": "Code Signing Policy Modification", "display_name": "T1553.006 - Code Signing Policy Modification" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 19, "FileHash-SHA1": 19, "FileHash-SHA256": 29, "YARA": 1, "domain": 4 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "337 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6592ce3555a1ef14aecd0a1e", "name": "data559", "description": "The following is the full text of the InvisiMole malware decrypting the RC2CL andRC2FM modules from a DLL wrapper, following the work of security firm ESET.", "modified": "2024-01-01T14:37:41.571000", "created": "2024-01-01T14:37:41.571000", "tags": [ "rc2clsize", "rc2fmsize", "rc2cloffset", "rc2fmoffset", "eset", "this software", "including", "but not", "limited to", "data", "code", "rc2fm", "direct", "dword" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arwinisarockstar15", "id": "266693", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "hostname": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "883 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pefile.directory", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pefile.directory", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780412019.4906862 }