{ "type": "Domain", "indicator": "pfchangs-support.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pfchangs-support.com", "alexa": "http://www.alexa.com/siteinfo/pfchangs-support.com", "indicator": "pfchangs-support.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4003000849, "indicator": "pfchangs-support.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "67f62708c6faf0ab4e24f6d4", "name": "Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-09T07:51:36.790000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672cf9acd2742762e7b47903", "name": "Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond", "description": "This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.", "modified": "2024-12-07T17:02:12.819000", "created": "2024-11-07T17:32:28.717000", "tags": [ "social engineering", "phishing", "identity theft" ], "references": [ "https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Technology", "Finance", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 37, "domain": 148, "hostname": 34 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 386540, "modified_text": "539 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "275 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68678d076be34e0dd9d9a6fd", "name": "GC Scattered Spider Targeting Multi Sectors", "description": "The following is a full list of malicious domain names: \u00c2\u00a31.5m, \u00a31bn, \u00e2\u201a\u00ac2.3m..7m", "modified": "2025-08-03T08:01:56.508000", "created": "2025-07-04T08:12:55.944000", "tags": [ "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dario.guerreiro", "id": "155493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808456074f76f5b134bac73", "name": "Scattered Spider: Persistent Threat Actor Targets Major Brands in 2025", "description": "The Scattered Spider hacker collective continues to pose a significant threat in 2025, targeting major brands such as Klaviyo, HubSpot, and Pure Storage. Silent Push researchers have identified five unique phishing kits used by Scattered Spider, with updates to their tactics, techniques, and procedures (TTPs). Notably, the group has deployed a new version of Spectre RAT to gain persistent access to compromised systems.", "modified": "2025-05-23T01:05:36.873000", "created": "2025-04-23T01:41:52.223000", "tags": [ "spider", "spectre rat", "silent push", "bitlaunch", "push", "okta", "snowflake", "bitcoin", "kraken", "trojan", "elijah", "u.s. threat", "spectre" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/" ], "public": 1, "adversary": "Elijah", "targeted_countries": [], "malware_families": [ { "id": "U.S. Threat", "display_name": "U.S. Threat", "target": null }, { "id": "Spectre", "display_name": "Spectre", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "hostname": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f7813ad4864d50644332e8", "name": "IOC&TTP - Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider \u662f\u4e00\u4e2a\u81ea 2022 \u5e74\u4ee5\u6765\u6d3b\u8dc3\u7684\u653b\u51fb\u56e2\u4f53\uff0c\u4ee5\u9ad8\u6c34\u5e73\u7684\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\u8457\u79f0 \u3002\u4ed6\u4eec\u5728 2025 \u5e74\u6301\u7eed\u6269\u5f20\u76ee\u6807\u8303\u56f4\uff0c\u4ece\u91d1\u878d\u3001\u4e91\u5b58\u50a8\u5230\u96f6\u552e\u3001\u793e\u4ea4\u5e73\u53f0\u4e0e\u8425\u9500\u5de5\u5177\u7b49\u591a\u4e2a\u884c\u4e1a\u3002\n\u5c3d\u7ba1 2024 \u5e74\u591a\u540d\u7591\u4f3c\u6210\u5458\u88ab\u6355\uff0c\u4f46 Scattered Spider \u5e76\u672a\u56e0\u6b64\u505c\u6b47\uff0c\u5728 2025 \u5e74\u6301\u7eed\u6295\u5165\u65b0\u7684\u6280\u672f\u4e0e\u5de5\u5177\u6765\u8fdb\u884c\u7a83\u53d6\u51ed\u636e\u3001\u6269\u5927\u653b\u51fb\u8303\u56f4\u3001\u6df7\u6dc6\u57fa\u7840\u67b6\u6784\u7b49\u884c\u52a8\u3002\u4f01\u4e1a\u6216\u7ec4\u7ec7\u9700\u8981\u9488\u5bf9\u5176\u52a8\u6001\u6ce8\u518c\u57df\u540d\u3001\u9493\u9c7c\u5957\u4ef6\u4e0e RAT \u5bb6\u65cf\u6d3b\u52a8\u91c7\u53d6\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-10T08:28:42.480000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": "67f62708c6faf0ab4e24f6d4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025", "Julypt1.pdf", "https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains", "https://www.silentpush.com/blog/scattered-spider-2025/" ], "related": { "alienvault": { "adversary": [ "Scattered Spider" ], "malware_families": [ "Spectre rat" ], "industries": [ "Technology", "Telecommunications", "Finance", "Healthcare", "Retail" ] }, "other": { "adversary": [ "Scattered Spider", "Multiple", "Elijah" ], "malware_families": [ "U.s. threat", "Spectre", "Spectre rat" ], "industries": [ "Technology", "Telecommunications", "Finance", "Healthcare", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "67f62708c6faf0ab4e24f6d4", "name": "Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider, a notorious hacking collective, continues to actively target victims in 2025. The group has expanded its focus to include services like Klaviyo, HubSpot, and Pure Storage, while targeting high-profile brands such as Audemars Piguet, Chick-fil-A, and Twitter/X. Silent Push researchers have identified five unique phishing kits used by Scattered Spider since 2023, with some undergoing updates. A new version of Spectre RAT has been discovered, along with the acquisition of a domain previously owned by Twitter/X. Despite arrests of several members in 2024, Scattered Spider has adapted its tactics, including the use of dynamic DNS providers and updated phishing kits. The group continues to employ sophisticated social engineering attacks to obtain credentials and multi-factor authentication tokens.", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-09T07:51:36.790000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 386543, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672cf9acd2742762e7b47903", "name": "Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond", "description": "This analysis examines phishing tactics used by threat actors, particularly focusing on the 0ktapus group. It outlines techniques for investigating phishing campaigns by pivoting between landing pages, using 0ktapus as a case study. The methods discussed include application fingerprinting, network profiling, and domain registration analysis. The research reveals various DOM templates used by 0ktapus over time and provides insights into their infrastructure and tactics. The article also offers recommendations for prevention and detection of phishing attacks, emphasizing the importance of MFA, SSO, and continuous vigilance in cybersecurity practices.", "modified": "2024-12-07T17:02:12.819000", "created": "2024-11-07T17:32:28.717000", "tags": [ "social engineering", "phishing", "identity theft" ], "references": [ "https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domains" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1591", "name": "Gather Victim Org Information", "display_name": "T1591 - Gather Victim Org Information" }, { "id": "T1606", "name": "Forge Web Credentials", "display_name": "T1606 - Forge Web Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" } ], "industries": [ "Technology", "Finance", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 37, "domain": 148, "hostname": 34 }, "indicator_count": 223, "is_author": false, "is_subscribing": null, "subscriber_count": 386540, "modified_text": "539 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688990fa0d8382bd5f02d806", "name": "EbeeJuly2025 Pt1", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T03:04:16.203000", "created": "2025-07-30T03:26:50.115000", "tags": [], "references": [ "Julypt1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 39, "FileHash-MD5": 131, "FileHash-SHA1": 144, "FileHash-SHA256": 232, "CIDR": 1, "CVE": 3, "domain": 150, "email": 9, "hostname": 37 }, "indicator_count": 746, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "275 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68678d076be34e0dd9d9a6fd", "name": "GC Scattered Spider Targeting Multi Sectors", "description": "The following is a full list of malicious domain names: \u00c2\u00a31.5m, \u00a31bn, \u00e2\u201a\u00ac2.3m..7m", "modified": "2025-08-03T08:01:56.508000", "created": "2025-07-04T08:12:55.944000", "tags": [ "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dario.guerreiro", "id": "155493", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52, "hostname": 2 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808456074f76f5b134bac73", "name": "Scattered Spider: Persistent Threat Actor Targets Major Brands in 2025", "description": "The Scattered Spider hacker collective continues to pose a significant threat in 2025, targeting major brands such as Klaviyo, HubSpot, and Pure Storage. Silent Push researchers have identified five unique phishing kits used by Scattered Spider, with updates to their tactics, techniques, and procedures (TTPs). Notably, the group has deployed a new version of Spectre RAT to gain persistent access to compromised systems.", "modified": "2025-05-23T01:05:36.873000", "created": "2025-04-23T01:41:52.223000", "tags": [ "spider", "spectre rat", "silent push", "bitlaunch", "push", "okta", "snowflake", "bitcoin", "kraken", "trojan", "elijah", "u.s. threat", "spectre" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025/" ], "public": 1, "adversary": "Elijah", "targeted_countries": [], "malware_families": [ { "id": "U.S. Threat", "display_name": "U.S. Threat", "target": null }, { "id": "Spectre", "display_name": "Spectre", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 56, "hostname": 2 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "373 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f7813ad4864d50644332e8", "name": "IOC&TTP - Scattered Spider: Still Hunting for Victims in 2025", "description": "Scattered Spider \u662f\u4e00\u4e2a\u81ea 2022 \u5e74\u4ee5\u6765\u6d3b\u8dc3\u7684\u653b\u51fb\u56e2\u4f53\uff0c\u4ee5\u9ad8\u6c34\u5e73\u7684\u793e\u4f1a\u5de5\u7a0b\u5b66\u653b\u51fb\u548c\u7f51\u7edc\u9493\u9c7c\u6d3b\u52a8\u8457\u79f0 \u3002\u4ed6\u4eec\u5728 2025 \u5e74\u6301\u7eed\u6269\u5f20\u76ee\u6807\u8303\u56f4\uff0c\u4ece\u91d1\u878d\u3001\u4e91\u5b58\u50a8\u5230\u96f6\u552e\u3001\u793e\u4ea4\u5e73\u53f0\u4e0e\u8425\u9500\u5de5\u5177\u7b49\u591a\u4e2a\u884c\u4e1a\u3002\n\u5c3d\u7ba1 2024 \u5e74\u591a\u540d\u7591\u4f3c\u6210\u5458\u88ab\u6355\uff0c\u4f46 Scattered Spider \u5e76\u672a\u56e0\u6b64\u505c\u6b47\uff0c\u5728 2025 \u5e74\u6301\u7eed\u6295\u5165\u65b0\u7684\u6280\u672f\u4e0e\u5de5\u5177\u6765\u8fdb\u884c\u7a83\u53d6\u51ed\u636e\u3001\u6269\u5927\u653b\u51fb\u8303\u56f4\u3001\u6df7\u6dc6\u57fa\u7840\u67b6\u6784\u7b49\u884c\u52a8\u3002\u4f01\u4e1a\u6216\u7ec4\u7ec7\u9700\u8981\u9488\u5bf9\u5176\u52a8\u6001\u6ce8\u518c\u57df\u540d\u3001\u9493\u9c7c\u5957\u4ef6\u4e0e RAT \u5bb6\u65cf\u6d3b\u52a8\u91c7\u53d6\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-05-09T07:01:46.188000", "created": "2025-04-10T08:28:42.480000", "tags": [ "phishing", "social engineering", "domain impersonation", "klaviyo", "hubspot", "spectre rat" ], "references": [ "https://www.silentpush.com/blog/scattered-spider-2025" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Spectre RAT", "display_name": "Spectre RAT", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Finance", "Retail", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": "67f62708c6faf0ab4e24f6d4", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 53, "hostname": 2 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "387 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pfchangs-support.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pfchangs-support.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237498.229213 }