{ "type": "Domain", "indicator": "preflightdesign.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/preflightdesign.com", "alexa": "http://www.alexa.com/siteinfo/preflightdesign.com", "indicator": "preflightdesign.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3414063981, "indicator": "preflightdesign.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "642ede8fc5b3e870156bb050", "name": "CryptoClippy Speaks Portuguese", "description": "Unit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users\u2019 wallets and into wallets controlled by threat actors instead. To do this, the campaign uses a type of malware known as a cryptocurrency clipper, which monitors the victim\u2019s clipboard for signs that a cryptocurrency wallet address is being copied.", "modified": "2023-04-06T15:00:29.864000", "created": "2023-04-06T15:00:29.864000", "tags": [ "CryptoClippy", "Malvertising" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 381, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "domain": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642e8db62d651d47f1c69ec0", "name": "CryptoClippy Speaks Portuguese", "description": "A malware campaign targeting Portuguese speakers aims to steal cryptocurrency from legitimate users' wallets, according to Palo Alto Networks Unit 42 Managed Threat Hunting, which has recently discovered a new variant of the malware.", "modified": "2023-05-06T00:04:41.929000", "created": "2023-04-06T09:15:34.176000", "tags": [ "cryptocurrency", "cryptoclippy", "figure", "exe file", "unit", "whatsapp web", "lnk file", "ethereum", "ethereum wallet", "palo alto", "stage", "powershell", "virustotal", "generator", "alliance", "smokeloader", "miner" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/" ], "public": 1, "adversary": "Cryptocurrency", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "BitcoinAddress": 7, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 17, "domain": 6 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6430a56346b46e2ab89c9b0d", "name": "CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users", "description": "", "modified": "2023-04-07T23:21:07.297000", "created": "2023-04-07T23:21:07.297000", "tags": [ "OSINT", "Cryptocurrency", "Clipper", "CryptoClippy", "T1129", "T1055", "T1036", "T1082", "T1027", "T1129" ], "references": [ "https://community.riskiq.com/article/4d9d67c4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 15 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1149 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642f381b5171ad6bb41717cc", "name": "New CryptoClippy Malware", "description": "", "modified": "2023-04-06T21:22:35.135000", "created": "2023-04-06T21:22:35.135000", "tags": [ "public", "infrastructure" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642ee8462162bd8cd2d164e8", "name": "CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users", "description": "Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign.\n\nThe activity leverages SEO poisoning techniques to entice users searching for \"WhatsApp web\" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.\n\nCryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control.", "modified": "2023-04-06T15:41:58.210000", "created": "2023-04-06T15:41:58.210000", "tags": [ "cryptocurrency", "cryptoclippy", "figure", "exe file", "unit", "whatsapp web", "lnk file", "ethereum", "ethereum wallet", "palo alto", "stage", "powershell", "virustotal", "generator", "alliance", "smokeloader", "miner" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/", "https://thehackernews.com/2023/04/cryptoclippy-new-clipper-malware.html" ], "public": 1, "adversary": "Cryptocurrency", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 7, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 17, "domain": 6 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62494a1f192e486651b88881", "name": "NewDom-5-20220403", "description": "ICANN-Dom", "modified": "2022-05-18T00:01:58.010000", "created": "2022-04-03T07:17:51.227000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6248020a4ac5394b5acf8a3d", "name": "NewDom-5-20220402", "description": "ICANN-Dom", "modified": "2022-05-17T00:02:45.423000", "created": "2022-04-02T07:58:02.414000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "62480854c57a56b6d6f43a02", "name": "NewDom-5-20220402", "description": "ICANN-Dom", "modified": "2022-05-17T00:02:45.423000", "created": "2022-04-02T08:24:52.665000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/", "https://community.riskiq.com/article/4d9d67c4", "https://thehackernews.com/2023/04/cryptoclippy-new-clipper-malware.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Cryptoclippy" ], "industries": [] }, "other": { "adversary": [ "Cryptocurrency" ], "malware_families": [ "Cryptoclippy" ], "industries": [ "Manufacturing" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "642ede8fc5b3e870156bb050", "name": "CryptoClippy Speaks Portuguese", "description": "Unit 42 recently discovered a malware campaign targeting Portuguese speakers, which aims to redirect cryptocurrency away from legitimate users\u2019 wallets and into wallets controlled by threat actors instead. To do this, the campaign uses a type of malware known as a cryptocurrency clipper, which monitors the victim\u2019s clipboard for signs that a cryptocurrency wallet address is being copied.", "modified": "2023-04-06T15:00:29.864000", "created": "2023-04-06T15:00:29.864000", "tags": [ "CryptoClippy", "Malvertising" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 381, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 16, "domain": 6 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386580, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642e8db62d651d47f1c69ec0", "name": "CryptoClippy Speaks Portuguese", "description": "A malware campaign targeting Portuguese speakers aims to steal cryptocurrency from legitimate users' wallets, according to Palo Alto Networks Unit 42 Managed Threat Hunting, which has recently discovered a new variant of the malware.", "modified": "2023-05-06T00:04:41.929000", "created": "2023-04-06T09:15:34.176000", "tags": [ "cryptocurrency", "cryptoclippy", "figure", "exe file", "unit", "whatsapp web", "lnk file", "ethereum", "ethereum wallet", "palo alto", "stage", "powershell", "virustotal", "generator", "alliance", "smokeloader", "miner" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/" ], "public": 1, "adversary": "Cryptocurrency", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "BitcoinAddress": 7, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 17, "domain": 6 }, "indicator_count": 37, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1121 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6430a56346b46e2ab89c9b0d", "name": "CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users", "description": "", "modified": "2023-04-07T23:21:07.297000", "created": "2023-04-07T23:21:07.297000", "tags": [ "OSINT", "Cryptocurrency", "Clipper", "CryptoClippy", "T1129", "T1055", "T1036", "T1082", "T1027", "T1129" ], "references": [ "https://community.riskiq.com/article/4d9d67c4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 15 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1149 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642f381b5171ad6bb41717cc", "name": "New CryptoClippy Malware", "description": "", "modified": "2023-04-06T21:22:35.135000", "created": "2023-04-06T21:22:35.135000", "tags": [ "public", "infrastructure" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "642ee8462162bd8cd2d164e8", "name": "CryptoClippy: New Clipper Malware Targeting Portuguese Cryptocurrency Users", "description": "Portuguese users are being targeted by a new malware codenamed CryptoClippy that's capable of stealing cryptocurrency as part of a malvertising campaign.\n\nThe activity leverages SEO poisoning techniques to entice users searching for \"WhatsApp web\" to rogue domains hosting the malware, Palo Alto Networks Unit 42 said in a new report published today.\n\nCryptoClippy, a C-based executable, is a type of cryware known as clipper malware that monitors a victim's clipboard for content matching cryptocurrency addresses and substituting them with a wallet address under the threat actor's control.", "modified": "2023-04-06T15:41:58.210000", "created": "2023-04-06T15:41:58.210000", "tags": [ "cryptocurrency", "cryptoclippy", "figure", "exe file", "unit", "whatsapp web", "lnk file", "ethereum", "ethereum wallet", "palo alto", "stage", "powershell", "virustotal", "generator", "alliance", "smokeloader", "miner" ], "references": [ "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/", "https://thehackernews.com/2023/04/cryptoclippy-new-clipper-malware.html" ], "public": 1, "adversary": "Cryptocurrency", "targeted_countries": [], "malware_families": [ { "id": "CryptoClippy", "display_name": "CryptoClippy", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Manufacturing" ], "TLP": "white", "cloned_from": null, "export_count": 307, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 7, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 17, "domain": 6 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1151 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62494a1f192e486651b88881", "name": "NewDom-5-20220403", "description": "ICANN-Dom", "modified": "2022-05-18T00:01:58.010000", "created": "2022-04-03T07:17:51.227000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6248020a4ac5394b5acf8a3d", "name": "NewDom-5-20220402", "description": "ICANN-Dom", "modified": "2022-05-17T00:02:45.423000", "created": "2022-04-02T07:58:02.414000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "62480854c57a56b6d6f43a02", "name": "NewDom-5-20220402", "description": "ICANN-Dom", "modified": "2022-05-17T00:02:45.423000", "created": "2022-04-02T08:24:52.665000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ZENDataGELowC", "id": "152785", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 202, "modified_text": "1475 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "preflightdesign.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "preflightdesign.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780264220.1399052 }