{ "type": "Domain", "indicator": "pmpdm.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pmpdm.com", "alexa": "http://www.alexa.com/siteinfo/pmpdm.com", "indicator": "pmpdm.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4032357554, "indicator": "pmpdm.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "67ca2991532d81738cbca1e8", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-06T23:02:41.409000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c9d57da555f158d9bd671", "name": "Lumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response", "description": "Trend Micro's Managed XDR team investigated a sophisticated campaign distributing Lumma Stealer through GitHub. The attackers exploited GitHub's release infrastructure to deliver various malware, including SectopRAT, Vidar, and Cobeacon. The campaign used compromised websites for redirection to GitHub-hosted malicious payloads. The malware exfiltrated sensitive data, connected to C&C servers, and employed evasion techniques. The tactics show similarities with the Stargazer Goblin group, known for using compromised websites and GitHub for payload distribution. The attack chain involved multiple stages, including initial access through GitHub, execution of malware, and subsequent deployment of additional tools. The campaign highlights the evolving distribution methods of Lumma Stealer and the importance of proactive security measures.", "modified": "2025-03-02T09:02:22.531000", "created": "2025-01-31T09:52:23.158000", "tags": [ "information stealing", "lumma stealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "public": 1, "adversary": "Stargazer Goblin", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobeacon", "display_name": "Cobeacon", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 16 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce59175307b6d7f03c6", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:33.594000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca39006b50993d4ba19927", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:08:32.097000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca394df02a68ad4f8bdd44", "name": "InQuest - 06-03-2025", "description": "", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:09:49.679000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 597, "FileHash-SHA1": 84, "URL": 688, "hostname": 142, "domain": 209, "FileHash-MD5": 82 }, "indicator_count": 1802, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ce51f0dc644a25a34f6607", "name": "IOC&TTP - Malvertising campaign leads to info stealers hosted on GitHub", "description": "\u8fd1\u671f\uff0c\u4e00\u9879\u5927\u89c4\u6a21\u7684\u6076\u610f\u5e7f\u544a\uff08Malvertising\uff09\u653b\u51fb\u6d3b\u52a8\u88ab\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\uff0c\u8be5\u653b\u51fb\u5229\u7528\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u4e2d\u7684\u6076\u610f\u5e7f\u544a\u91cd\u5b9a\u5411\u7528\u6237\uff0c\u6700\u7ec8\u6307\u5411GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u7a83\u53d6\u53d7\u5bb3\u8005\u7684\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6b21\u653b\u51fb\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb\uff0c\u5305\u62ec\u4f01\u4e1a\u548c\u6d88\u8d39\u8005\u8bbe\u5907\uff0c\u76ee\u6807\u6db5\u76d6\u591a\u4e2a\u884c\u4e1a\uff0c\u663e\u793a\u51fa\u5176\u9ad8\u5ea6\u968f\u673a\u6027\u3002\n\n\u8be5\u653b\u51fb\u94fe\u91c7\u7528\u591a\u9636\u6bb5\u65b9\u6cd5\uff1a\n\n\u521d\u59cb\u8bbf\u95ee\uff1a\u7528\u6237\u5728\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u89c2\u770b\u76d7\u7248\u89c6\u9891\u65f6\uff0c\u7f51\u7ad9\u5d4c\u5165\u7684\u6076\u610f\u5e7f\u544a\u4f1a\u5c06\u5176\u91cd\u5b9a\u5411\u81f3\u4e2d\u95f4\u7f51\u7ad9\uff0c\u7ee7\u800c\u5f15\u5bfc\u81f3GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f7d\u8377\u3002\n\u6076\u610f\u8f6f\u4ef6\u90e8\u7f72\uff1aGitHub\u4e0a\u7684\u7b2c\u4e00\u9636\u6bb5\u8f7d\u8377\u5145\u5f53\u6295\u653e\u5668\uff08Dropper\uff09\uff0c\u7528\u4e8e\u5728\u53d7\u5bb3\u8005\u8bbe\u5907\u4e0a\u5efa\u7acb\u521d\u59cb\u7acb\u8db3\u70b9\uff0c\u5e76\u6267\u884c\u540e\u7eed\u6076\u610f\u64cd\u4f5c\u3002\n\u4fe1\u606f\u6536\u96c6\uff1a\u7b2c\u4e8c\u9636\u6bb5\u8f7d\u8377\u8fdb\u884c\u7cfb\u7edf\u63a2\u6d4b\uff0c\u6536\u96c6\u8bbe\u5907\u4fe1\u606f\uff08\u5982\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u3001\u663e\u5361\u8be6\u60c5\u3001\u5c4f\u5e55\u5206\u8fa8\u7387\u7b49\uff09\uff0c\u5e76\u901a\u8fc7Base64\u7f16\u7801\u540e\u53d1\u9001\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u3002\n\u540e\u7eed\u653b\u51fb\uff1a\u90e8\u5206\u653b\u51fb\u53d8\u79cd\u5728\u7b2c\u4e8c\u9636\u6bb5\u540e\uff0c\u4f1a\u690d\u5165\u8fdc\u7a0b\u8bbf\u95ee\u5de5\u5177\uff08RAT\uff09\u6216\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982Lumma Stealer\u6216Doenerium\u3002\u53d7\u5bb3\u8bbe\u5907\u7684\u6570\u636e\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u51ed\u8bc1\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u4fe1\u606f\u7b49\uff09\u88ab\u8fdb\u4e00\u6b65\u7a83\u53d6\u548c\u5916\u6cc4\u3002\n\u6301\u4e45\u5316\u4e0e\u89c4\u907f\u68c0\u6d4b\uff1a\u653b\u51fb\u8005\u5229\u7528Windows\u6ce8\u518c\u8868Run\u952e\u3001\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\u7b49\u624b\u6bb5\u786e\u4fdd\u6076\u610f\u8f6f\u4ef6\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u8fd0\u884c\u3002\u540c\u65f6\uff0c\u4f7f\u7528PowerShell\u3001JavaScript\u548cAutoIT\u7b49\u6280\u672f\u8fdb\u884c\u9690\u853d\u64cd\u4f5c\uff0c\u4ee5\u9003\u907f\u5b89\u5168\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T02:44:00.293000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ce944e3bd615c4b07a61d7", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T07:27:10.896000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a069df10b7aaf19d8956ca", "name": "Lumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response", "description": "", "modified": "2025-03-02T09:02:22.531000", "created": "2025-02-03T07:01:51.012000", "tags": [ "information stealing", "lumma stealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "public": 1, "adversary": "Stargazer Goblin", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobeacon", "display_name": "Cobeacon", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "679c9d57da555f158d9bd671", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 16 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a190e2ecf07150fe50809b", "name": "Lumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response", "description": "", "modified": "2025-03-02T09:02:22.531000", "created": "2025-02-04T04:00:34.384000", "tags": [ "information stealing", "lumma stealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "public": 1, "adversary": "Stargazer Goblin", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobeacon", "display_name": "Cobeacon", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": "67a069df10b7aaf19d8956ca", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 16 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/", "https://labs.inquest.net/iocdb", "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "related": { "alienvault": { "adversary": [ "Stargazer Goblin", "Storm-0408" ], "malware_families": [ "Sectoprat", "Vidar", "Netsupport rat", "Lumma stealer", "Doenerium", "Cobeacon" ], "industries": [] }, "other": { "adversary": [ "Stargazer Goblin", "[Unnamed group]", "Storm-0408" ], "malware_families": [ "Netsupport", "Sectoprat", "Vidar", "Netsupport rat", "Lumma stealer", "Doenerium", "Cobeacon", "Lumma" ], "industries": [ "Higher education", "Information technology", "Government", "Defense", "Oil and gas", "Social engineering", "Telecommunications", "Technology", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "67ca2991532d81738cbca1e8", "name": "Malvertising campaign leads to info stealers hosted on GitHub", "description": "A large-scale malvertising campaign impacting nearly one million devices globally was detected in December 2024. The attack originated from illegal streaming websites with embedded malvertising redirectors, leading users through multiple redirections to malware hosted on GitHub and other platforms. The multi-stage attack chain involved deploying information stealers like Lumma and Doenerium, as well as remote access tools. The threat actors used living-off-the-land techniques and various scripts to collect system information, exfiltrate data, and establish persistence. The campaign affected both consumer and enterprise devices across multiple industries, highlighting its indiscriminate nature.", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-06T23:02:41.409000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679c9d57da555f158d9bd671", "name": "Lumma Stealer's GitHub-Based Delivery Explored via Managed Detection and Response", "description": "Trend Micro's Managed XDR team investigated a sophisticated campaign distributing Lumma Stealer through GitHub. The attackers exploited GitHub's release infrastructure to deliver various malware, including SectopRAT, Vidar, and Cobeacon. The campaign used compromised websites for redirection to GitHub-hosted malicious payloads. The malware exfiltrated sensitive data, connected to C&C servers, and employed evasion techniques. The tactics show similarities with the Stargazer Goblin group, known for using compromised websites and GitHub for payload distribution. The attack chain involved multiple stages, including initial access through GitHub, execution of malware, and subsequent deployment of additional tools. The campaign highlights the evolving distribution methods of Lumma Stealer and the importance of proactive security measures.", "modified": "2025-03-02T09:02:22.531000", "created": "2025-01-31T09:52:23.158000", "tags": [ "information stealing", "lumma stealer" ], "references": [ "https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html" ], "public": 1, "adversary": "Stargazer Goblin", "targeted_countries": [], "malware_families": [ { "id": "Lumma Stealer", "display_name": "Lumma Stealer", "target": null }, { "id": "SectopRAT", "display_name": "SectopRAT", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "Cobeacon", "display_name": "Cobeacon", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 17, "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 16 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 386481, "modified_text": "454 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce59175307b6d7f03c6", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:33.594000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca39006b50993d4ba19927", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:08:32.097000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca394df02a68ad4f8bdd44", "name": "InQuest - 06-03-2025", "description": "", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:09:49.679000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 597, "FileHash-SHA1": 84, "URL": 688, "hostname": 142, "domain": 209, "FileHash-MD5": 82 }, "indicator_count": 1802, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ce51f0dc644a25a34f6607", "name": "IOC&TTP - Malvertising campaign leads to info stealers hosted on GitHub", "description": "\u8fd1\u671f\uff0c\u4e00\u9879\u5927\u89c4\u6a21\u7684\u6076\u610f\u5e7f\u544a\uff08Malvertising\uff09\u653b\u51fb\u6d3b\u52a8\u88ab\u5fae\u8f6f\u5a01\u80c1\u60c5\u62a5\u56e2\u961f\u53d1\u73b0\uff0c\u8be5\u653b\u51fb\u5229\u7528\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u4e2d\u7684\u6076\u610f\u5e7f\u544a\u91cd\u5b9a\u5411\u7528\u6237\uff0c\u6700\u7ec8\u6307\u5411GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f6f\u4ef6\uff0c\u4ee5\u7a83\u53d6\u53d7\u5bb3\u8005\u7684\u654f\u611f\u4fe1\u606f\u3002\u6b64\u6b21\u653b\u51fb\u5f71\u54cd\u8303\u56f4\u5e7f\u6cdb\uff0c\u5305\u62ec\u4f01\u4e1a\u548c\u6d88\u8d39\u8005\u8bbe\u5907\uff0c\u76ee\u6807\u6db5\u76d6\u591a\u4e2a\u884c\u4e1a\uff0c\u663e\u793a\u51fa\u5176\u9ad8\u5ea6\u968f\u673a\u6027\u3002\n\n\u8be5\u653b\u51fb\u94fe\u91c7\u7528\u591a\u9636\u6bb5\u65b9\u6cd5\uff1a\n\n\u521d\u59cb\u8bbf\u95ee\uff1a\u7528\u6237\u5728\u975e\u6cd5\u6d41\u5a92\u4f53\u7f51\u7ad9\u89c2\u770b\u76d7\u7248\u89c6\u9891\u65f6\uff0c\u7f51\u7ad9\u5d4c\u5165\u7684\u6076\u610f\u5e7f\u544a\u4f1a\u5c06\u5176\u91cd\u5b9a\u5411\u81f3\u4e2d\u95f4\u7f51\u7ad9\uff0c\u7ee7\u800c\u5f15\u5bfc\u81f3GitHub\u6258\u7ba1\u7684\u6076\u610f\u8f7d\u8377\u3002\n\u6076\u610f\u8f6f\u4ef6\u90e8\u7f72\uff1aGitHub\u4e0a\u7684\u7b2c\u4e00\u9636\u6bb5\u8f7d\u8377\u5145\u5f53\u6295\u653e\u5668\uff08Dropper\uff09\uff0c\u7528\u4e8e\u5728\u53d7\u5bb3\u8005\u8bbe\u5907\u4e0a\u5efa\u7acb\u521d\u59cb\u7acb\u8db3\u70b9\uff0c\u5e76\u6267\u884c\u540e\u7eed\u6076\u610f\u64cd\u4f5c\u3002\n\u4fe1\u606f\u6536\u96c6\uff1a\u7b2c\u4e8c\u9636\u6bb5\u8f7d\u8377\u8fdb\u884c\u7cfb\u7edf\u63a2\u6d4b\uff0c\u6536\u96c6\u8bbe\u5907\u4fe1\u606f\uff08\u5982\u64cd\u4f5c\u7cfb\u7edf\u7248\u672c\u3001\u663e\u5361\u8be6\u60c5\u3001\u5c4f\u5e55\u5206\u8fa8\u7387\u7b49\uff09\uff0c\u5e76\u901a\u8fc7Base64\u7f16\u7801\u540e\u53d1\u9001\u81f3\u8fdc\u7a0b\u670d\u52a1\u5668\u3002\n\u540e\u7eed\u653b\u51fb\uff1a\u90e8\u5206\u653b\u51fb\u53d8\u79cd\u5728\u7b2c\u4e8c\u9636\u6bb5\u540e\uff0c\u4f1a\u690d\u5165\u8fdc\u7a0b\u8bbf\u95ee\u5de5\u5177\uff08RAT\uff09\u6216\u4fe1\u606f\u7a83\u53d6\u7a0b\u5e8f\uff0c\u5982Lumma Stealer\u6216Doenerium\u3002\u53d7\u5bb3\u8bbe\u5907\u7684\u6570\u636e\uff08\u5305\u62ec\u6d4f\u89c8\u5668\u51ed\u8bc1\u3001\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u4fe1\u606f\u7b49\uff09\u88ab\u8fdb\u4e00\u6b65\u7a83\u53d6\u548c\u5916\u6cc4\u3002\n\u6301\u4e45\u5316\u4e0e\u89c4\u907f\u68c0\u6d4b\uff1a\u653b\u51fb\u8005\u5229\u7528Windows\u6ce8\u518c\u8868Run\u952e\u3001\u5feb\u6377\u65b9\u5f0f\u6587\u4ef6\u7b49\u624b\u6bb5\u786e\u4fdd\u6076\u610f\u8f6f\u4ef6\u5728\u7cfb\u7edf\u91cd\u542f\u540e\u4ecd\u7136\u8fd0\u884c\u3002\u540c\u65f6\uff0c\u4f7f\u7528PowerShell\u3001JavaScript\u548cAutoIT\u7b49\u6280\u672f\u8fdb\u884c\u9690\u853d\u64cd\u4f5c\uff0c\u4ee5\u9003\u907f\u5b89\u5168\u9632\u62a4\u63aa\u65bd\u3002", "modified": "2025-04-05T23:03:06.500000", "created": "2025-03-10T02:44:00.293000", "tags": [ "doenerium", "lumma stealer", "information stealer", "github", "lumma", "malvertising", "living-off-the-land", "netsupport rat", "multi-stage attack" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "Storm-0408", "targeted_countries": [], "malware_families": [ { "id": "Lumma stealer", "display_name": "Lumma stealer", "target": null }, { "id": "Doenerium", "display_name": "Doenerium", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1218.005", "name": "Mshta", "display_name": "T1218.005 - Mshta" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "67ca2991532d81738cbca1e8", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 60, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 49, "hostname": 1 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pmpdm.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pmpdm.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780203568.2391508 }