{ "type": "Domain", "indicator": "phaqwentom.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/phaqwentom.com", "alexa": "http://www.alexa.com/siteinfo/phaqwentom.com", "indicator": "phaqwentom.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4107821810, "indicator": "phaqwentom.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6889d5dc91f97509dbb3b83b", "name": "ToxicPanda: The Android Banking Trojan Targeting Europe.", "description": "ToxicPanda is an evolving Android banking trojan that primarily targets banking and digital wallet credentials through sophisticated attack techniques. This malware is known for overlaying PINs and pattern codes, which allows cybercriminals to conduct unauthorized financial transactions directly from compromised devices. Initially identified in Southeast Asia in 2022, ToxicPanda has since shifted its focus to Europe, predominantly targeting Portugal and Spain as of early 2025, with a notable increase in installations, now affecting approximately 4,500 devices.", "modified": "2025-08-29T08:00:34.369000", "created": "2025-07-30T08:20:44.275000", "tags": [ "toxicpanda", "portugal", "tag124", "trace", "spain", "europe", "c2 server", "android banking", "cleafy", "italy", "android", "tgtoxic", "bypass", "webview", "malware", "june", "cyber", "future", "new cloudflare", "iocs", "websites", "possibly", "by tag124" ], "references": [ "https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 547, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6889d5dc91f97509dbb3b83b", "name": "ToxicPanda: The Android Banking Trojan Targeting Europe.", "description": "ToxicPanda is an evolving Android banking trojan that primarily targets banking and digital wallet credentials through sophisticated attack techniques. This malware is known for overlaying PINs and pattern codes, which allows cybercriminals to conduct unauthorized financial transactions directly from compromised devices. Initially identified in Southeast Asia in 2022, ToxicPanda has since shifted its focus to Europe, predominantly targeting Portugal and Spain as of early 2025, with a notable increase in installations, now affecting approximately 4,500 devices.", "modified": "2025-08-29T08:00:34.369000", "created": "2025-07-30T08:20:44.275000", "tags": [ "toxicpanda", "portugal", "tag124", "trace", "spain", "europe", "c2 server", "android banking", "cleafy", "italy", "android", "tgtoxic", "bypass", "webview", "malware", "june", "cyber", "future", "new cloudflare", "iocs", "websites", "possibly", "by tag124" ], "references": [ "https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1111", "name": "Two-Factor Authentication Interception", "display_name": "T1111 - Two-Factor Authentication Interception" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 52 }, "indicator_count": 52, "is_author": false, "is_subscribing": null, "subscriber_count": 547, "modified_text": "278 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "phaqwentom.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "phaqwentom.com", "found": true, "verdict": "malicious", "url_count": 4, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://phaqwentom.com/no_dropper.apk", "status": "offline", "threat": "malware_download", "date_added": "2025-01-07", "tags": [ "apk ", "opendir", "TgToxic" ] }, { "url": "https://phaqwentom.com/dropper.apk", "status": "offline", "threat": "malware_download", "date_added": "2025-01-07", "tags": [ "apk ", "opendir", "TgToxic" ] }, { "url": "http://phaqwentom.com/dropper.apk", "status": "offline", "threat": "malware_download", "date_added": "2025-01-07", "tags": [ "apk ", "opendir", "TgToxic" ] }, { "url": "http://phaqwentom.com/no_dropper.apk", "status": "offline", "threat": "malware_download", "date_added": "2025-01-07", "tags": [ "apk ", "opendir", "TgToxic" ] } ], "error": null }, "from_cache": true, "_cached_at": 1780523455.097786 }