{ "type": "Domain", "indicator": "pgadmin.link", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pgadmin.link", "alexa": "http://www.alexa.com/siteinfo/pgadmin.link", "indicator": "pgadmin.link", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3860116084, "indicator": "pgadmin.link", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae825ee4680bf980f21c4e", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "A group known as FIN7 has been using Google ads to lure users into downloading malware, according to a report published this week by cybersecurity firm eSentire and the Microsoft Security Research Center..", "modified": "2025-03-15T23:04:39.639000", "created": "2025-02-13T23:38:05.365000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "overlay", "code", "meta", "asyncrat", "reload", "diceloader", "find", "close", "amos", "stealer", "autoit", "darkvnc", "ducktail", "lumma stealer", "icedid", "lazarus", "mintsloader", "pikabot", "venomrat", "webdav", "solarmarker", "stealc", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "fin7", "netsupport rat", "google", "msix", "blackrock", "asana", "wall street", "journal", "google meet", "powertrash", "anydesk", "winscp", "carbanak", "powerplant", "termite", "gracewire", "april", "fakeupdates", "rats", "twitter", "netsupport" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "POWERTRASH", "display_name": "POWERTRASH", "target": null }, { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 14, "domain": 45, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "444 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664af48a9759d9c47027ae76", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-20T06:58:18.216000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ef754aed8040246df6b17", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-23T07:59:16.500000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "664af48a9759d9c47027ae76", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664308c684d8735f866694b3", "name": "FIN7 Group Uses Malicious Google Ads for NetSupport RAT Delivery", "description": "", "modified": "2024-06-13T06:02:39.333000", "created": "2024-05-14T06:46:30.502000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47, "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "URL": 12, "hostname": 3 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "719 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664240ec762f0effd3cd2001", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-12T16:01:44.583000", "created": "2024-05-13T16:33:48.823000", "tags": [ "fin7 c2s", "diceloader c2", "diceloader" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641e1a2d4749d038f20e74f", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.\n\n\"The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,\" cybersecurity firm eSentire said in a report published earlier this week.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:47:14.971000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "python", "netsupport", "diceloader c2" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 304, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae1448d96e0d9e91786d", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:16.405000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae33d2b5b0a2fcc9ebae", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:47.725000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "FIN7" ], "malware_families": [ "Python", "Powertrash", "Fin7", "Netsupport", "Msix", "Blackrock" ], "industries": [ "Government", "Healthcare", "Finance", "Retail", "Education", "Legal", "Construction", "Manufacturing", "Food" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "109 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae825ee4680bf980f21c4e", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "A group known as FIN7 has been using Google ads to lure users into downloading malware, according to a report published this week by cybersecurity firm eSentire and the Microsoft Security Research Center..", "modified": "2025-03-15T23:04:39.639000", "created": "2025-02-13T23:38:05.365000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "overlay", "code", "meta", "asyncrat", "reload", "diceloader", "find", "close", "amos", "stealer", "autoit", "darkvnc", "ducktail", "lumma stealer", "icedid", "lazarus", "mintsloader", "pikabot", "venomrat", "webdav", "solarmarker", "stealc", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "fin7", "netsupport rat", "google", "msix", "blackrock", "asana", "wall street", "journal", "google meet", "powertrash", "anydesk", "winscp", "carbanak", "powerplant", "termite", "gracewire", "april", "fakeupdates", "rats", "twitter", "netsupport" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "POWERTRASH", "display_name": "POWERTRASH", "target": null }, { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 14, "domain": 45, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "444 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664af48a9759d9c47027ae76", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-20T06:58:18.216000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664ef754aed8040246df6b17", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "", "modified": "2024-06-19T00:02:58.897000", "created": "2024-05-23T07:59:16.500000", "tags": [ "FIN7", "C2s", "diceloader c2" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "664af48a9759d9c47027ae76", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "FileHash-MD5": 5, "domain": 24, "hostname": 1 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "714 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664308c684d8735f866694b3", "name": "FIN7 Group Uses Malicious Google Ads for NetSupport RAT Delivery", "description": "", "modified": "2024-06-13T06:02:39.333000", "created": "2024-05-14T06:46:30.502000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47, "FileHash-MD5": 6, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "URL": 12, "hostname": 3 }, "indicator_count": 85, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "719 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "664240ec762f0effd3cd2001", "name": "FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads", "description": "In April 2024, eSentire\u2019s Threat Response Unit (TRU) observed multiple incidents involving FIN7, a financially motivated threat group based in Russia that has been active since 2013. The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.", "modified": "2024-06-12T16:01:44.583000", "created": "2024-05-13T16:33:48.823000", "tags": [ "fin7 c2s", "diceloader c2", "diceloader" ], "references": [ "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 48, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 2 }, "indicator_count": 61, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641e1a2d4749d038f20e74f", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT.\n\n\"The threat actors used malicious websites to impersonate well-known brands, including AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet,\" cybersecurity firm eSentire said in a report published earlier this week.", "modified": "2024-06-12T09:05:01.533000", "created": "2024-05-13T09:47:14.971000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "python", "netsupport", "diceloader c2" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 304, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 44, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "hostname": 1 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae1448d96e0d9e91786d", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:16.405000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6641ae33d2b5b0a2fcc9ebae", "name": "eSentire | FIN7 Uses Trusted Brands and Sponsored Google Ads to\u2026", "description": "Palo Alto\u2019s Managed Detection and Response (MDR) is a 24-hour-a-service provider for Microsoft, Cisco, Microsoft and other major technology companies, with a wide range of services.", "modified": "2024-06-12T06:01:34.035000", "created": "2024-05-13T06:07:47.725000", "tags": [ "figure", "netsupport rat", "fin7", "threat response", "unit", "diceloader", "msix", "msix file", "c2 server", "python payload", "cyber", "april", "anydesk", "winscp", "blackrock", "updater", "schtasks", "phishing", "fin7 c2s", "diceloader c2", "python", "netsupport" ], "references": [ "https://www.esentire.com/blog/fin7-uses-trusted-brands-and-sponsored-google-ads-to-distribute-msix-payloads", "https://raw.githubusercontent.com/esThreatIntelligence/iocs/main/FIN7/FIN7_IOCs_5-3-2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "FIN7", "display_name": "FIN7", "target": null }, { "id": "MSIX", "display_name": "MSIX", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 44, "hostname": 1 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "720 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pgadmin.link", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pgadmin.link", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780462370.950724 }