{ "type": "Domain", "indicator": "perfectgoc.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/perfectgoc.com", "alexa": "http://www.alexa.com/siteinfo/perfectgoc.com", "indicator": "perfectgoc.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3677446825, "indicator": "perfectgoc.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f11f15737a6a70e077e9d7", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication.", "modified": "2026-04-29T06:58:09.112000", "created": "2026-04-28T20:56:53.473000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2df351a29e68b71da60e7", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "", "modified": "2026-04-30T04:48:53.216000", "created": "2026-04-30T04:48:53.216000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f11f15737a6a70e077e9d7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f259ebdb5093a1719a9f1b", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "X-Labs recently identified a consumer-targeted DHL phishing campaign that uses familiar brand impersonation, a fake OTP verification step and client-side credential harvesting to steal passwords from everyday users.\n\nThe campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim's guard before the actual theft begins.\n\nThe sample analyzed here walks the victim through a spoofed shipment email, a fake parcel OTP page and a DHL-branded login portal. The final stage captures the victim's password, enriches it with IP address, device details and location data, then exfiltrates everything through EmailJS to an attacker-controlled mailbox.", "modified": "2026-04-29T19:21:01.012000", "created": "2026-04-29T19:20:11.993000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f11f15737a6a70e077e9d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.csv", "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f11f15737a6a70e077e9d7", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "A consumer-targeted credential theft operation uses DHL brand impersonation combined with a fake OTP verification mechanism to harvest passwords from victims. The attack employs an 11-step chain beginning with spoofed shipment notification emails, leading victims through a client-side generated OTP page that creates false trust, then directing them to a DHL-branded credential harvesting portal. The kit captures passwords alongside victim telemetry including IP address, device details, browser fingerprinting, and geolocation data. Exfiltration occurs through EmailJS, a legitimate client-side email service, sending stolen credentials to an attacker-controlled Tutamail address. The campaign concludes by redirecting victims to the legitimate DHL website to avoid suspicion, demonstrating how familiar workflows and brand trust can be weaponized without technical sophistication.", "modified": "2026-04-29T06:58:09.112000", "created": "2026-04-28T20:56:53.473000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f2df351a29e68b71da60e7", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "", "modified": "2026-04-30T04:48:53.216000", "created": "2026-04-30T04:48:53.216000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f11f15737a6a70e077e9d7", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f259ebdb5093a1719a9f1b", "name": "Inside a Fake DHL Campaign Built to Steal Credentials", "description": "X-Labs recently identified a consumer-targeted DHL phishing campaign that uses familiar brand impersonation, a fake OTP verification step and client-side credential harvesting to steal passwords from everyday users.\n\nThe campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim's guard before the actual theft begins.\n\nThe sample analyzed here walks the victim through a spoofed shipment email, a fake parcel OTP page and a DHL-branded login portal. The final stage captures the victim's password, enriches it with IP address, device details and location data, then exfiltrates everything through EmailJS to an attacker-controlled mailbox.", "modified": "2026-04-29T19:21:01.012000", "created": "2026-04-29T19:20:11.993000", "tags": [ "social engineering", "phishing campaign", "client-side theft", "emailjs exfiltration", "credential harvesting", "brand impersonation", "fake otp", "dhl impersonation" ], "references": [ "https://www.forcepoint.com/blog/x-labs/fake-dhl-phishing-campaign-credential-theft" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69f11f15737a6a70e077e9d7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "perfectgoc.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "perfectgoc.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://perfectgoc.com/mits/eiimnimmmaax", "status": "offline", "threat": "malware_download", "date_added": "2022-10-19", "tags": [ "BB03", "FYN09", "iso", "Qakbot", "qbot", "Quakbot", "TR", "zip" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780206036.3807166 }