{ "type": "Domain", "indicator": "premove.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/premove.ru", "alexa": "http://www.alexa.com/siteinfo/premove.ru", "indicator": "premove.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4101281057, "indicator": "premove.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "691007925f370e350169ff23", "name": "check", "description": "", "modified": "2025-12-15T02:10:20.572000", "created": "2025-11-09T03:16:34.163000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 147, "FileHash-MD5": 38, "FileHash-SHA1": 39, "FileHash-SHA256": 479, "domain": 28, "hostname": 13 }, "indicator_count": 744, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68812b67bfb334a103025305", "name": "Operation \"Liquidation\": We study and block the infrastructure of the Nyashteam group.", "description": "F6 analysts have identified and disrupted a network of group domains involved in distributing malware and providing hosting services for cybercrime infrastructure through a model known as Malware-As-A-Service (MaaS). This model enables inexperienced attackers to launch sophisticated cyberattacks with minimal knowledge. The group Nyashteam, which has been operational since at least 2022, illustrates this trend by offering two families of malware\u2014DCRAT and Webrat\u2014via Telegram bots and dedicated websites. The group primarily targets Russian-speaking audiences, but their services are available to attackers worldwide. Their popularity stems from relatively low costs and user-friendly interfaces. DCRAT is a remote access Trojan (RAT) recognized since 2018 that allows attackers to control infected devices, capture keystrokes, access webcams, steal passwords, and execute arbitrary commands.", "modified": "2025-07-23T18:36:10.887000", "created": "2025-07-23T18:35:19.055000", "tags": [], "references": [ "https://www.f6.ru/blog/nyashteam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Petroleum", "Logistic", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 114, "hostname": 1 }, "indicator_count": 121, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "313 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.f6.ru/blog/nyashteam/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Logistic", "Petroleum", "Entertainment" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "691007925f370e350169ff23", "name": "check", "description": "", "modified": "2025-12-15T02:10:20.572000", "created": "2025-11-09T03:16:34.163000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 147, "FileHash-MD5": 38, "FileHash-SHA1": 39, "FileHash-SHA256": 479, "domain": 28, "hostname": 13 }, "indicator_count": 744, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "168 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68812b67bfb334a103025305", "name": "Operation \"Liquidation\": We study and block the infrastructure of the Nyashteam group.", "description": "F6 analysts have identified and disrupted a network of group domains involved in distributing malware and providing hosting services for cybercrime infrastructure through a model known as Malware-As-A-Service (MaaS). This model enables inexperienced attackers to launch sophisticated cyberattacks with minimal knowledge. The group Nyashteam, which has been operational since at least 2022, illustrates this trend by offering two families of malware\u2014DCRAT and Webrat\u2014via Telegram bots and dedicated websites. The group primarily targets Russian-speaking audiences, but their services are available to attackers worldwide. Their popularity stems from relatively low costs and user-friendly interfaces. DCRAT is a remote access Trojan (RAT) recognized since 2018 that allows attackers to control infected devices, capture keystrokes, access webcams, steal passwords, and execute arbitrary commands.", "modified": "2025-07-23T18:36:10.887000", "created": "2025-07-23T18:35:19.055000", "tags": [], "references": [ "https://www.f6.ru/blog/nyashteam/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [ "Petroleum", "Logistic", "Entertainment" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 114, "hostname": 1 }, "indicator_count": 121, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "313 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "premove.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "premove.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780351816.2001457 }