{ "type": "Domain", "indicator": "potherbreference.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/potherbreference.com", "alexa": "http://www.alexa.com/siteinfo/potherbreference.com", "indicator": "potherbreference.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4170823363, "indicator": "potherbreference.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69528092ee9eed9c6d16d25d", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.", "modified": "2025-12-29T13:50:47.832000", "created": "2025-12-29T13:22:26.696000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6954d43cdd66d386e563113e", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "", "modified": "2025-12-31T07:43:56.041000", "created": "2025-12-31T07:43:56.041000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69528092ee9eed9c6d16d25d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "150 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953ced7aa91769979e76ca4", "name": "Chinese Hackers Deploy Rootkit to Conceal ToneShell Malware Operations", "description": "A new variant of the ToneShell backdoor attributed to the Mustang Panda\ngroup has been deployed", "modified": "2025-12-30T13:08:39.814000", "created": "2025-12-30T13:08:39.814000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953a4b66e9606188b59af66", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit | Securelist", "description": "", "modified": "2025-12-30T10:08:54.336000", "created": "2025-12-30T10:08:54.336000", "tags": [ "apt", "backdoor", "honeymyte", "malware", "malware descriptions", "rootkits", "targeted attacks", "toneshell", "io stack", "southeast", "east asia", "tonedisk usb", "plugx", "microsoft", "load order", "wdfilter", "trojan", "february", "august" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69534189cd8213bc0b5cd130", "name": "IOC - The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "", "modified": "2025-12-30T03:05:45.506000", "created": "2025-12-30T03:05:45.506000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69528092ee9eed9c6d16d25d", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69533ac182d934288fb46a03", "name": "HoneyMyte APT Pushes Persistence into the Windows Kernel", "description": "Kaspersky has released a series of security updates for the software it uses to detect and prevent cyber-attacks from being carried out on its networks.. and the systems they use. the following:", "modified": "2025-12-30T02:36:49.706000", "created": "2025-12-30T02:36:49.706000", "tags": [ "apt", "backdoor", "honeymyte", "malware", "malware descriptions", "rootkits", "targeted attacks", "toneshell", "io stack", "southeast", "east asia", "tonedisk usb", "plugx", "microsoft", "load order", "wdfilter", "trojan", "february", "august", "toneshell c2", "compromise more", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "Load Order", "display_name": "Load Order", "target": null }, { "id": "HoneyMyte", "display_name": "HoneyMyte", "target": null }, { "id": "Evasive Panda", "display_name": "Evasive Panda", "target": null }, { "id": "Cloud Atlas", "display_name": "Cloud Atlas", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/", "IOC-Dec 2025.csv" ], "related": { "alienvault": { "adversary": [ "MUSTANG PANDA" ], "malware_families": [ "Thoper", "Tonedisk", "Korplug", "Toneshell", "Plugx - s0013", "Tvt", "Sogu", "Kaba", "Destroyrat" ], "industries": [ "Government" ] }, "other": { "adversary": [ "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "HoneyMyte" ], "malware_families": [ "Thoper", "Honeymyte", "Tonedisk", "Evasive panda", "Korplug", "Toneshell", "Plugx - s0013", "Tvt", "Sogu", "Kaba", "Destroyrat", "Load order", "Plugx", "Cloud atlas" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69528092ee9eed9c6d16d25d", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "In mid-2025, a malicious driver file was discovered on Asian computer systems, signed with a compromised digital certificate. This driver injects a backdoor Trojan and protects malicious files, processes, and registry keys. The final payload is a new variant of the ToneShell backdoor, associated with the HoneyMyte APT group. The attacks, which began in February 2025, primarily target government organizations in Southeast and East Asia, especially Myanmar and Thailand. The malware uses various techniques to evade detection, including API obfuscation, process protection, and registry key protection. The ToneShell backdoor communicates with command-and-control servers using fake TLS headers and supports remote operations such as file transfer and shell access.", "modified": "2025-12-29T13:50:47.832000", "created": "2025-12-29T13:22:26.696000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386480, "modified_text": "152 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6957582a5ec95aeb9a62faac", "name": "EbeeDec2025 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-01T14:01:43.935000", "created": "2026-01-02T05:31:22.506000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOC-Dec 2025.csv" ], "public": 1, "adversary": "DNS requests to deliver MgBot, Arcane Werewolf, MEDUSA LOCKER, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 4, "FileHash-MD5": 157, "FileHash-SHA1": 82, "FileHash-SHA256": 103, "URL": 41, "domain": 59, "hostname": 26, "email": 2 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "118 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6954d43cdd66d386e563113e", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "", "modified": "2025-12-31T07:43:56.041000", "created": "2025-12-31T07:43:56.041000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69528092ee9eed9c6d16d25d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "150 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953ced7aa91769979e76ca4", "name": "Chinese Hackers Deploy Rootkit to Conceal ToneShell Malware Operations", "description": "A new variant of the ToneShell backdoor attributed to the Mustang Panda\ngroup has been deployed", "modified": "2025-12-30T13:08:39.814000", "created": "2025-12-30T13:08:39.814000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953a4b66e9606188b59af66", "name": "The HoneyMyte APT now protects malware with a kernel-mode rootkit | Securelist", "description": "", "modified": "2025-12-30T10:08:54.336000", "created": "2025-12-30T10:08:54.336000", "tags": [ "apt", "backdoor", "honeymyte", "malware", "malware descriptions", "rootkits", "targeted attacks", "toneshell", "io stack", "southeast", "east asia", "tonedisk usb", "plugx", "microsoft", "load order", "wdfilter", "trojan", "february", "august" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69534189cd8213bc0b5cd130", "name": "IOC - The HoneyMyte APT now protects malware with a kernel-mode rootkit", "description": "", "modified": "2025-12-30T03:05:45.506000", "created": "2025-12-30T03:05:45.506000", "tags": [ "evasion techniques", "apt", "tonedisk", "toneshell", "rootkit", "plugx" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "ToneDisk", "display_name": "ToneDisk", "target": null } ], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "69528092ee9eed9c6d16d25d", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69533ac182d934288fb46a03", "name": "HoneyMyte APT Pushes Persistence into the Windows Kernel", "description": "Kaspersky has released a series of security updates for the software it uses to detect and prevent cyber-attacks from being carried out on its networks.. and the systems they use. the following:", "modified": "2025-12-30T02:36:49.706000", "created": "2025-12-30T02:36:49.706000", "tags": [ "apt", "backdoor", "honeymyte", "malware", "malware descriptions", "rootkits", "targeted attacks", "toneshell", "io stack", "southeast", "east asia", "tonedisk usb", "plugx", "microsoft", "load order", "wdfilter", "trojan", "february", "august", "toneshell c2", "compromise more", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/honeymyte-kernel-mode-rootkit/118590/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Myanmar", "Thailand" ], "malware_families": [ { "id": "Load Order", "display_name": "Load Order", "target": null }, { "id": "HoneyMyte", "display_name": "HoneyMyte", "target": null }, { "id": "Evasive Panda", "display_name": "Evasive Panda", "target": null }, { "id": "Cloud Atlas", "display_name": "Cloud Atlas", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "potherbreference.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "potherbreference.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200613.705107 }