{ "type": "Domain", "indicator": "pmidpils.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pmidpils.com", "alexa": "http://www.alexa.com/siteinfo/pmidpils.com", "indicator": "pmidpils.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4167288576, "indicator": "pmidpils.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a3e51b7cc98331174b9c7", "name": "ClickFix Attacks Still Using the Finger", "description": "The ClickFix attacks, which began in November 2025, continue to exploit the finger protocol as a vector for social engineering. The finger protocol, originally designed for querying user information on remote systems, is being repurposed by threat actors in these ongoing campaigns. The usage of this protocol indicates a reliance on outdated or less secure technologies, which attackers leverage to manipulate victims into divulging sensitive information or compromising their systems.", "modified": "2026-01-22T07:01:39.662000", "created": "2025-12-23T07:01:37.861000", "tags": [ "december", "captcha page", "wireshark", "clickfix", "tcp port", "november", "didier stevens", "clickfix script", "finding finger", "tcp stream", "kongtuke" ], "references": [ "https://isc.sans.edu/diary/32566" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1, "email": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book2.csv", "https://isc.sans.edu/diary/32566" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "694bde495c4f1023c4a3c1ab", "name": "EbeeDec2025 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-23T12:00:04.403000", "created": "2025-12-24T12:36:25.036000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "name" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "WARP PANDA, UNG0801, Warlock, DPRK Operation, Webrat, Docusign-themed phishing", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 149, "FileHash-SHA1": 159, "FileHash-SHA256": 165, "CVE": 5, "URL": 86, "domain": 146, "email": 10, "hostname": 40 }, "indicator_count": 760, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694a3e51b7cc98331174b9c7", "name": "ClickFix Attacks Still Using the Finger", "description": "The ClickFix attacks, which began in November 2025, continue to exploit the finger protocol as a vector for social engineering. The finger protocol, originally designed for querying user information on remote systems, is being repurposed by threat actors in these ongoing campaigns. The usage of this protocol indicates a reliance on outdated or less secure technologies, which attackers leverage to manipulate victims into divulging sensitive information or compromising their systems.", "modified": "2026-01-22T07:01:39.662000", "created": "2025-12-23T07:01:37.861000", "tags": [ "december", "captcha page", "wireshark", "clickfix", "tcp port", "november", "didier stevens", "clickfix script", "finding finger", "tcp stream", "kongtuke" ], "references": [ "https://isc.sans.edu/diary/32566" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 1, "email": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pmidpils.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pmidpils.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780210795.5442767 }