{ "type": "Domain", "indicator": "phlogin.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/phlogin.com", "alexa": "http://www.alexa.com/siteinfo/phlogin.com", "indicator": "phlogin.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2132191239, "indicator": "phlogin.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5e0b9895c5ed003a85210202", "name": "Microsoft Takes Down Thallium (APT37) Domains", "description": "Collection of Infrastructure taken down, plus potentially related based on infra overlapping and other relations.", "modified": "2020-12-02T19:07:31.733000", "created": "2019-12-31T18:51:01.497000", "tags": [ "DPRK_APT", "North Korea" ], "references": [ "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://twitter.com/jfslowik/status/1212097943550873600" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 118, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "domain": 71, "hostname": 7 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387011, "modified_text": "2008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387007, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d6d754babe6ca295f94cb1b", "name": "Credential Phishing Campaign targetting Governments", "description": "During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of\nmalicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with\ntraces going back to 2017. The threat actor registered multiple domain names, and created several subdomains\nwith a naming pattern revealing its potential targets.", "modified": "2019-09-03T06:19:04.874000", "created": "2019-09-02T20:02:19.049000", "tags": [ "north korea", "kimsuky" ], "references": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Poland", "France" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 14, "domain": 87, "FileHash-SHA256": 1, "hostname": 973, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "IPv4": 18 }, "indicator_count": 1098, "is_author": false, "is_subscribing": null, "subscriber_count": 387038, "modified_text": "2464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf", "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://twitter.com/kyleehmke/status/1212119523077349378", "https://twitter.com/jfslowik/status/1212097943550873600" ], "related": { "alienvault": { "adversary": [ "APT37", "Thallium", "Kimsuky" ], "malware_families": [], "industries": [ "Education", "Government", "Ngo" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5e0b9895c5ed003a85210202", "name": "Microsoft Takes Down Thallium (APT37) Domains", "description": "Collection of Infrastructure taken down, plus potentially related based on infra overlapping and other relations.", "modified": "2020-12-02T19:07:31.733000", "created": "2019-12-31T18:51:01.497000", "tags": [ "DPRK_APT", "North Korea" ], "references": [ "https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU", "https://malpedia.caad.fkie.fraunhofer.de/actor/apt37", "https://twitter.com/jfslowik/status/1212097943550873600" ], "public": 1, "adversary": "APT37", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 118, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 9, "domain": 71, "hostname": 7 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 387011, "modified_text": "2008 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5e206c7aef589acc3f96cb79", "name": "Thallium domains sinkholed by Microsoft", "description": "On December 27, a U.S. district court unsealed documents detailing work Microsoft has performed to disrupt cyberattacks from a threat group we call Thallium, which is believed to operate from North Korea. Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations. With this action, the sites can no longer be used to execute attacks.", "modified": "2020-01-17T20:26:26.408000", "created": "2020-01-16T14:00:26.890000", "tags": [ "apt37", "Thallium", "dprk" ], "references": [ "https://twitter.com/kyleehmke/status/1212119523077349378", "https://blogs.microsoft.com/on-the-issues/2019/12/30/microsoft-court-action-against-nation-state-cybercrime/" ], "public": 1, "adversary": "Thallium", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 15, "domain": 28, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 387007, "modified_text": "2328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5d6d754babe6ca295f94cb1b", "name": "Credential Phishing Campaign targetting Governments", "description": "During its investigations and with the cooperation of multiple partners, ANSSI has discovered several clusters of\nmalicious activity, including domain names, subdomains and email addresses, used in a large attack campaign with\ntraces going back to 2017. The threat actor registered multiple domain names, and created several subdomains\nwith a naming pattern revealing its potential targets.", "modified": "2019-09-03T06:19:04.874000", "created": "2019-09-02T20:02:19.049000", "tags": [ "north korea", "kimsuky" ], "references": [ "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf" ], "public": 1, "adversary": "Kimsuky", "targeted_countries": [ "Poland", "France" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 91, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "email": 14, "domain": 87, "FileHash-SHA256": 1, "hostname": 973, "FileHash-MD5": 1, "FileHash-SHA1": 1, "URL": 3, "IPv4": 18 }, "indicator_count": 1098, "is_author": false, "is_subscribing": null, "subscriber_count": 387038, "modified_text": "2464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "phlogin.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "phlogin.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780458251.4799645 }