{ "type": "Domain", "indicator": "pfs1010.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pfs1010.com", "alexa": "http://www.alexa.com/siteinfo/pfs1010.com", "indicator": "pfs1010.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3616637272, "indicator": "pfs1010.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "63c82cfb80f9e85b9b69c3cc", "name": "Chinese Playful Taurus Activity in Iran", "description": "In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian. This backdoor remains under active development and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus.", "modified": "2023-02-17T16:05:35.314000", "created": "2023-01-18T17:31:38.649000", "tags": [ "playful taurus", "apt15", "backdoor", "backdoordiplomacy", "nickel", "vixen panda", "iranian", "vmprotect", "api obfuscation" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "public": 1, "adversary": "Playful Taurus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Telecommunications", "Foreign", "Foreign Affairs", "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 401, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4, "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "hostname": 5 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "1199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68897aac34d205d5cfc55c74", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-07-30\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-07-30T01:51:40.989000", "created": "2025-07-30T01:51:40.989000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "306 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851f4070f95e4f44c09efcf", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-06-17\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-06-17T23:02:30.349000", "created": "2025-06-17T23:02:30.349000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683df46be3b5f1ff932aa84a", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-06-02\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-06-02T18:58:51.287000", "created": "2025-06-02T18:58:51.287000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "363 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d16a9fdb8ff7bfe8db459", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-05-08\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-05-08T20:40:09.409000", "created": "2025-05-08T20:40:09.409000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "388 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680190c45c13710c439a3db0", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-04-17\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-04-17T23:37:40.060000", "created": "2025-04-17T23:37:40.060000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff13e09a7b60d18a996220", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Techniques\n* T1497\n* T1114.002\n* T1114\n* T1001\n* T1094\n* ... y 204 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-04-16T02:20:16.466000", "created": "2025-04-16T02:20:16.466000", "tags": [ "threat_actor", "unknown", "T1497", "T1114.002", "T1114", "T1001", "T1094", "T1566.001", "T1068", "T1087.003", "T1111", "T1059.003", "T1053.002", "T1053.006", "TA0037", "T1014", "T1598.003", "T1602.002", "T1444", "T1081", "TA0004", "T1598.001", "T1598", "T1053.001", "T1574", "T1017", "T1602", "TA0002", "T1202", "T1194", "TA0005", "TA0011", "T1059.006", "T1031", "T1059", "T1055.004", "T1192", "T1574.006", "T1566.002", "T1156", "T1055.008", "T1056.003", "T1560", "T1053.007", "T1583.002", "T1055.001", "T1082", "T1027", "T1608.005", "T1071.001", "T1566", "T1038", "T1589", "T1041", "T1534", "T1105", "TA0009", "T1204.001", "T1155", "T1049", "T1001.003", "T1445", "T1056.001", "T1071.004", "T1608.001", "T1055.002", "T1210", "T1056", "T1450", "TA0006", "T1193", "T1055", "TA0043", "T1493", "TA0003", "TA0007", "T1491", "T1036", "T1036.004", "T1503", "T1114.001", "T1449", "T1566.003", "T1053", "T1110.002", "T1053.003", "T1459", "T1001.001", "T1598.002", "T1140", "T1059.007", "T1496", "TA0001", "T1088", "T1113", "T1071.003", "T1012", "T1046", "T1114.003", "T1129", "T1125", "T1071", "T1583.005_102", "106_T1056", "T1036.002", "T1112", "T1018", "T1021.002", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1170", "T1021", "T1011", "T1060", "T1539", "T1418", "T1614.001", "T1087.002", "T1021.001", "T1040", "T1020", "T1213", "T1069", "T1587", "T1533", "T1003.003", "T1003.004", "T1560.001", "T1548.002", "T1087", "T1069.002", "T1095", "T1426", "T1102", "T1201", "T1222", "T1070", "T1074", "T1033", "T1130", "T1569", "T1078.002", "T1552", "T1106", "T1190", "T1007", "T1495", "T1133", "T1090", "T1547.001", "T1588.002", "T1016", "T1422", "T1137", "T1588", "T1119", "T1437", "T1124", "T1569.002", "T1134", "T1005", "T1005.001", "T1003.002", "T1903", "T1059.001", "T1853", "T1115", "T1543.003", "T1430", "T1087.001", "T1587.001", "T1562.001", "T1543", "T1489", "T1078", "T1614", "T1509", "T1078.004", "T1083", "T1592.004", "T1558.001", "T1558", "T1530", "T1213.002", "T1047", "T1085", "T1003", "T1003.001", "T1120", "T1217", "T1074.001", "T1010", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1055.003", "T1571", "T11955", "T1204.002", "T1199", "T1204.", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "411 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677337a16d3d2b051137f251", "name": "Mirage", "description": "Mirage es un grupo de ciberespionaje vinculado al Ej\u00e9rcito Popular de Liberaci\u00f3n de China, centrado en la recopilaci\u00f3n de inteligencia en sectores como aeroespacial y defensa. Utilizan malware personalizado, spear-phishing y ataques a sitios web para infiltrar organizaciones.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:15:29.657000", "tags": [], "references": [], "public": 1, "adversary": "Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 399, "FileHash-SHA1": 367, "FileHash-SHA256": 379, "CVE": 6, "domain": 41, "hostname": 48 }, "indicator_count": 1240, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709637353a6151ed506121", "name": "Cyble — Gigabud RAT: New Android RAT Masquerading as Government Agencies", "description": "", "modified": "2023-12-06T15:41:43.936000", "created": "2023-12-06T15:41:43.936000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 85, "FileHash-MD5": 29, "FileHash-SHA1": 31, "domain": 30, "hostname": 14, "URL": 14, "CVE": 1 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c9adb6c982e9d6558cadc9", "name": "Cyble — Gigabud RAT: New Android RAT Masquerading as Government Agencies", "description": "Cyble Research & Intelligence Labs (CRIL) has identified a new type of Android malware that has been targeting users in Thailand, the Philippines, and Peru since July 2022. the same malware was discovered in September 2017.", "modified": "2023-02-19T00:00:03.334000", "created": "2023-01-19T20:53:10.231000", "tags": [ "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "hook", "ermac", "threatfabric", "octo", "hydra", "device take", "over", "dukeeugene", "blackrock", "cerberus", "android", "twitter", "securex", "gamaredon", "threats", "malware research", "bumblebee", "qakbot", "threat spotlight", "lnk file", "figure", "talos", "august", "microsoft", "drive serial", "july", "lnk target", "icedid", "june", "python", "meterpreter", "cobalt strike", "raspberry robin", "virustotal", "qbot", "pinkslipbot", "lamar", "playful taurus", "ministry", "table", "c2 server", "middle east", "palo alto", "networks", "foreign affairs", "time", "file", "turian", "april", "vmprotect", "kechang", "alliance", "wildfire", "okrum", "ketrican", "malware", "endpoints", "research", "articles", "news", "reports", "batloader", "batloader c", "water minyades", "c server", "trend micro", "batloader file", "javascript", "december", "msi file", "zloader", "find", "ursnif", "vidar", "redline stealer", "powershell", "indonesia", "small", "tools", "raccoonstealer", "smokeloader", "fallout", "install", "download", "smoke loader", "stealer", "evolution", "contact", "libya", "urls https", "qatar", "israel", "bogle", "stage", "embassy", "libya israel", "hafter", "threat research", "security attack", "fortinet", "python end", "fortigate", "fortimail", "forticlient", "fortiedr", "antivirus", "fortiguard web", "urls", "malicious", "bianlian", "go language", "avast", "skip", "aes256", "cbc mode", "aes cbc", "click", "dharma", "remcos", "crysis dharma", "ransomware", "wiper malware", "ransomware roundup", "fortiguard labs", "fortiguard", "web filtering", "iocs", "guidance due", "nse training", "awareness", "service", "remcos payload", "event viewer", "remcos rat", "ntcreatesection", "remote access", "tool", "dropper", "capture", "nsis", "aurora", "data leak", "hwid", "facebook messenger", "infostealer", "json", "cryptocurrency", "threat intelligence", "vidar stealer", "telegram", "phishing", "shapeshifting", "aurora stealer", "cyble", "strong", "january", "cril", "singapore", "victims", "dubai", "a stealer", "demo", "rats", "crypto", "discord", "steam", "desktop", "info", "cookie", "redline", "recordbreaker", "execution", "write", "gigabud", "advice", "gigabud rat", "peru", "sunat", "darkweb", "websocket", "thailand", "kasikornbank thailand", "remote access trojan", "threat actor", "thai lion air", "banco de comercio", "phillipines", "dsi", "shopee thailand", "bir", "lion air", "department", "banco", "philippines", "bank", "protect" ], "references": [ "https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection/", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants", "https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware", "https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/earth-bogle-campaigns-target-the-middle-east-with-geopolitical-lures/IOCs-earth-bogle-campaigns-target-the-middle-east-with-geopolitical-lures.txt", "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html", "https://unit42.paloaltonetworks.com/playful-taurus/", "https://blog.talosintelligence.com/following-the-lnk-metadata-trail/", "https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html" ], "public": 1, "adversary": "", "targeted_countries": [ "India", "Singapore", "Australia", "Georgia", "Peru", "Philippines", "Thailand" ], "malware_families": [ { "id": "BianLian", "display_name": "BianLian", "target": null }, { "id": "Dharma", "display_name": "Dharma", "target": null }, { "id": "Remcos", "display_name": "Remcos", "target": null }, { "id": "Aurora", "display_name": "Aurora", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Gigabud", "display_name": "Gigabud", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1411", "name": "Input Prompt", "display_name": "T1411 - Input Prompt" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1436", "name": "Commonly Used Port", "display_name": "T1436 - Commonly Used Port" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1476", "name": "Deliver Malicious App via Other Means", "display_name": "T1476 - Deliver Malicious App via Other Means" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1510", "name": "Clipboard Modification", "display_name": "T1510 - Clipboard Modification" }, { "id": "T1513", "name": "Screen Capture", "display_name": "T1513 - Screen Capture" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1582", "name": "SMS Control", "display_name": "T1582 - SMS Control" } ], "industries": [ "Banking", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kidfire123", "id": "211524", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 30, "hostname": 14, "URL": 14, "FileHash-MD5": 29, "FileHash-SHA1": 31, "FileHash-SHA256": 85, "CVE": 1 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "1198 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c90a30250f5380449aa943", "name": "Chinese Playful Taurus Activity in Iran", "description": "Chinese advanced persistent threat group Playful Taurus is believed to be targeting Iranian government networks, according to analysis by Palo Alto Networks and security firm ESET, and its partner, C4S.", "modified": "2023-02-18T09:02:34.690000", "created": "2023-01-19T09:15:28.583000", "tags": [ "playful taurus", "ministry", "table", "c2 server", "middle east", "palo alto", "networks", "foreign affairs", "time", "file", "turian", "april", "vmprotect", "virustotal", "kechang", "june", "august", "python", "alliance", "wildfire", "okrum", "ketrican" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/#post-126622-_570cbe1pdhwx" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Telecommunications", "Foreign", "Foreign Affairs", "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 8, "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 6 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c8f0f9195739d7dc926332", "name": "Chinese Playful Taurus Activity in Iran", "description": "", "modified": "2023-02-18T07:05:02.727000", "created": "2023-01-19T07:27:53.768000", "tags": [ "playful taurus", "ministry", "table", "c2 server", "middle east", "palo alto", "networks", "foreign affairs", "time", "file", "turian", "april", "vmprotect", "virustotal", "kechang", "june", "august", "python", "alliance", "wildfire", "okrum", "ketrican" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cyberasmi", "id": "169715", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 7, "FileHash-SHA256": 5, "domain": 6, "hostname": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "1199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c9b599be4e7007b4395fce", "name": "Chinese Playful Taurus Activity in Iran", "description": "", "modified": "2023-02-17T16:05:35.314000", "created": "2023-01-19T21:26:49.591000", "tags": [ "playful taurus", "apt15", "backdoor", "backdoordiplomacy", "nickel", "vixen panda", "iranian", "vmprotect", "api obfuscation" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "public": 1, "adversary": "Playful Taurus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Telecommunications", "Foreign", "Foreign Affairs", "Diplomatic", "Government" ], "TLP": "white", "cloned_from": "63c82cfb80f9e85b9b69c3cc", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "feisty-swim1410", "id": "217462", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "hostname": 5 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c7dbe5a0427b9c30c907fe", "name": "Chinese Playful Taurus Activity in Iran", "description": "Chinese hackers are believed to be targeting Iranian government networks, according to analysis by Palo Alto Networks and security firm ESET. and its partner, the European Security Research Centre (ESET), in a series of posts.", "modified": "2023-02-17T11:00:24.592000", "created": "2023-01-18T11:45:41.540000", "tags": [ "playful taurus", "ministry", "table", "c2 server", "middle east", "palo alto", "networks", "foreign affairs", "time", "file", "turian", "april", "vmprotect", "virustotal", "kechang", "june", "august", "python", "alliance", "wildfire", "okrum", "ketrican" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Telecommunications", "Foreign", "Foreign Affairs", "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "domain": 6, "hostname": 6 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1200 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.talosintelligence.com/following-the-lnk-metadata-trail/", "https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/earth-bogle-campaigns-target-the-middle-east-with-geopolitical-lures/IOCs-earth-bogle-campaigns-target-the-middle-east-with-geopolitical-lures.txt", "https://www.fortinet.com/blog/threat-research/ransomware-roundup-playing-whack-a-mole-with-new-crysis-dharma-variants", "https://www.fortinet.com/blog/threat-research/supply-chain-attack-using-identical-pypi-packages-colorslib-httpslib-libhttps", "https://decoded.avast.io/threatresearch/decrypted-bianlian-ransomware/?utm_source=rss&utm_medium=rss&utm_campaign=decrypted-bianlian-ransomware", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", "https://unit42.paloaltonetworks.com/playful-taurus/", "https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html", "https://minerva-labs.com/blog/new-version-of-remcos-rat-uses-direct-syscalls-to-evade-detection/", "https://unit42.paloaltonetworks.com/playful-taurus/#post-126622-_570cbe1pdhwx", "https://blog.cyble.com/2023/01/19/gigabud-rat-new-android-rat-masquerading-as-government-agencies/" ], "related": { "alienvault": { "adversary": [ "Playful Taurus" ], "malware_families": [], "industries": [ "Telecommunications", "Diplomatic", "Foreign", "Government", "Foreign affairs" ] }, "other": { "adversary": [ "Mirage", "El Machete, TAG-100, Mirage, Unamed_Grooup", "Playful Taurus" ], "malware_families": [ "Bianlian", "Gigabud", "Dharma", "Remote access", "Aurora", "Remcos" ], "industries": [ "Telecommunications", "Diplomatic", "Foreign", "Government", "Foreign affairs", "Banking" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "63c82cfb80f9e85b9b69c3cc", "name": "Chinese Playful Taurus Activity in Iran", "description": "In June 2021, ESET reported that this group had upgraded their tool kit to include a new backdoor called Turian. This backdoor remains under active development and we assess that it is used exclusively by Playful Taurus actors. Following the evolution of this capability, we recently identified new variants of this backdoor as well as new command and control infrastructure. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by Playful Taurus.", "modified": "2023-02-17T16:05:35.314000", "created": "2023-01-18T17:31:38.649000", "tags": [ "playful taurus", "apt15", "backdoor", "backdoordiplomacy", "nickel", "vixen panda", "iranian", "vmprotect", "api obfuscation" ], "references": [ "https://unit42.paloaltonetworks.com/playful-taurus/" ], "public": 1, "adversary": "Playful Taurus", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Telecommunications", "Foreign", "Foreign Affairs", "Diplomatic", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 401, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4, "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "hostname": 5 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386683, "modified_text": "1199 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68897aac34d205d5cfc55c74", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-07-30\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-07-30T01:51:40.989000", "created": "2025-07-30T01:51:40.989000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "306 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851f4070f95e4f44c09efcf", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-06-17\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-06-17T23:02:30.349000", "created": "2025-06-17T23:02:30.349000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 56, "modified_text": "348 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683df46be3b5f1ff932aa84a", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-06-02\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-06-02T18:58:51.287000", "created": "2025-06-02T18:58:51.287000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "363 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681d16a9fdb8ff7bfe8db459", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-05-08\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-05-08T20:40:09.409000", "created": "2025-05-08T20:40:09.409000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "388 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "680190c45c13710c439a3db0", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-04-17\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-04-17T23:37:40.060000", "created": "2025-04-17T23:37:40.060000", "tags": [ "threat_actor", "unknown", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "409 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ff13e09a7b60d18a996220", "name": "Threat Actor Profile: Mirage", "description": "# Mirage - Threat Actor Profile\n\n**Report Date**: 2025-04-16\n\n**Actor Type**: unknown\n\n## Description\nMirage is a sophisticated cyber espionage group believed to be linked to Chinas Peoples Liberation Army PLA. The groups primary focus is on intelligence gathering, targeting sectors like aerospace and defense. They employ a variety of tactics and tools, including custom malware.\n\n## Techniques\n* T1497\n* T1114.002\n* T1114\n* T1001\n* T1094\n* ... y 204 m\u00e1s\n\n## Targeted Sectors\n* Administraci\u00f3n p\u00fablica\n* Transporte a\u00e9reo\n* Manufactura\n* Investigaci\u00f3n y tecnolog\u00eda espacial\n* Servicios p\u00fablicos\n* ... y 10 m\u00e1s\n\n## Targeted Countries\n* Rep\u00fablica Dominicana\n* India 2\n* Ghana\n* Siria\n* Venezuela\n* ... y 61 m\u00e1s", "modified": "2025-04-16T02:20:16.466000", "created": "2025-04-16T02:20:16.466000", "tags": [ "threat_actor", "unknown", "T1497", "T1114.002", "T1114", "T1001", "T1094", "T1566.001", "T1068", "T1087.003", "T1111", "T1059.003", "T1053.002", "T1053.006", "TA0037", "T1014", "T1598.003", "T1602.002", "T1444", "T1081", "TA0004", "T1598.001", "T1598", "T1053.001", "T1574", "T1017", "T1602", "TA0002", "T1202", "T1194", "TA0005", "TA0011", "T1059.006", "T1031", "T1059", "T1055.004", "T1192", "T1574.006", "T1566.002", "T1156", "T1055.008", "T1056.003", "T1560", "T1053.007", "T1583.002", "T1055.001", "T1082", "T1027", "T1608.005", "T1071.001", "T1566", "T1038", "T1589", "T1041", "T1534", "T1105", "TA0009", "T1204.001", "T1155", "T1049", "T1001.003", "T1445", "T1056.001", "T1071.004", "T1608.001", "T1055.002", "T1210", "T1056", "T1450", "TA0006", "T1193", "T1055", "TA0043", "T1493", "TA0003", "TA0007", "T1491", "T1036", "T1036.004", "T1503", "T1114.001", "T1449", "T1566.003", "T1053", "T1110.002", "T1053.003", "T1459", "T1001.001", "T1598.002", "T1140", "T1059.007", "T1496", "TA0001", "T1088", "T1113", "T1071.003", "T1012", "T1046", "T1114.003", "T1129", "T1125", "T1071", "T1583.005_102", "106_T1056", "T1036.002", "T1112", "T1018", "T1021.002", "T1036.005", "T1547", "T1057", "T1008", "T1518", "T1170", "T1021", "T1011", "T1060", "T1539", "T1418", "T1614.001", "T1087.002", "T1021.001", "T1040", "T1020", "T1213", "T1069", "T1587", "T1533", "T1003.003", "T1003.004", "T1560.001", "T1548.002", "T1087", "T1069.002", "T1095", "T1426", "T1102", "T1201", "T1222", "T1070", "T1074", "T1033", "T1130", "T1569", "T1078.002", "T1552", "T1106", "T1190", "T1007", "T1495", "T1133", "T1090", "T1547.001", "T1588.002", "T1016", "T1422", "T1137", "T1588", "T1119", "T1437", "T1124", "T1569.002", "T1134", "T1005", "T1005.001", "T1003.002", "T1903", "T1059.001", "T1853", "T1115", "T1543.003", "T1430", "T1087.001", "T1587.001", "T1562.001", "T1543", "T1489", "T1078", "T1614", "T1509", "T1078.004", "T1083", "T1592.004", "T1558.001", "T1558", "T1530", "T1213.002", "T1047", "T1085", "T1003", "T1003.001", "T1120", "T1217", "T1074.001", "T1010", "T1218", "T1048", "T1553", "T1490", "T1497.003", "T1055.003", "T1571", "T11955", "T1204.002", "T1199", "T1204.", "T1595.002", "T1102.002", "T1583.003", "T1027.009", "T1027.013", "target:Dominican Republic", "target:India 2", "target:Ghana", "target:Siria", "target:Venezuela", "target:India", "target:Switzerland", "target:El Salvador", "target:Italy", "target:Mali", "target:Colombia", "target:Pakistan", "target:Panama", "target:Barbados", "target:Bulgaria", "target:But\u00e1n", "target:Albania", "target:South Africa", "target:Uzbekist\u00e1n", "target:Chequia", "target:Ecuador", "target:Eslovaquia", "target:Guatemala", "target:Belgium", "target:Montenegro", "target:Malaysia", "target:Poland", "target:Egypt", "target:EE.UU.", "target:Trinidad y Tobago", "target:Afganist\u00e1n", "target:Georgia", "target:Nigeria", "target:Saudi Arabia", "target:Brazil", "target:France", "target:Indonesia", "target:Chile", "target:Jamaica", "target:Hungary", "target:Portugal", "target:United Kingdom", "target:Peru", "target:Iran", "target:Turqu\u00eda", "target:Kazajist\u00e1n", "target:Bosnia y Herzegovina", "target:China", "target:Sri Lanka", "target:Croacia", "target:Germany", "target:Libia", "target:Mexico", "target:United Arab Emirates", "target:Argentina", "target:Global", "target:Netherlands", "target:Japan", "target:Bolivia", "target:Yibuti", "target:Vietnam", "target:Fiyi", "target:Cuba", "target:Camboya", "target:Taiw\u00e1n", "target:United States" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 6, "hostname": 48, "domain": 41 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "411 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677337a16d3d2b051137f251", "name": "Mirage", "description": "Mirage es un grupo de ciberespionaje vinculado al Ej\u00e9rcito Popular de Liberaci\u00f3n de China, centrado en la recopilaci\u00f3n de inteligencia en sectores como aeroespacial y defensa. Utilizan malware personalizado, spear-phishing y ataques a sitios web para infiltrar organizaciones.", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:15:29.657000", "tags": [], "references": [], "public": 1, "adversary": "Mirage", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 399, "FileHash-SHA1": 367, "FileHash-SHA256": 379, "CVE": 6, "domain": 41, "hostname": 48 }, "indicator_count": 1240, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67733b72d522398f5ea0a12d", "name": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar", "description": "Indicadores de Compromiso Estudiio de Inteligencia de Amenaza para Maestr\u00eda UASD Sobre Actores identificados en SOC Radar con Intereses en la Administraci\u00f3n P\u00fablica de la Rep\u00fablica Dominicana, Diciembre 2024", "modified": "2025-01-30T00:00:18.927000", "created": "2024-12-31T00:31:46.858000", "tags": [ "cve201711882", "cve20201472" ], "references": [], "public": 1, "adversary": "El Machete, TAG-100, Mirage, Unamed_Grooup", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fraevolquez", "id": "91700", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2631, "FileHash-SHA1": 2168, "FileHash-SHA256": 3401, "CVE": 25, "domain": 977, "hostname": 1226 }, "indicator_count": 10428, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709637353a6151ed506121", "name": "Cyble — Gigabud RAT: New Android RAT Masquerading as Government Agencies", "description": "", "modified": "2023-12-06T15:41:43.936000", "created": "2023-12-06T15:41:43.936000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 85, "FileHash-MD5": 29, "FileHash-SHA1": 31, "domain": 30, "hostname": 14, "URL": 14, "CVE": 1 }, "indicator_count": 204, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pfs1010.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pfs1010.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780323575.6967897 }