{ "type": "Domain", "indicator": "programsbookss.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/programsbookss.com", "alexa": "http://www.alexa.com/siteinfo/programsbookss.com", "indicator": "programsbookss.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4053887442, "indicator": "programsbookss.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6937b6169bd435b2e3a0787e", "name": "CastleLoader Activity Clusters Target Multiple Industries", "description": "Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona \"Sparja\" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.", "modified": "2026-03-06T09:29:55.184000", "created": "2025-12-09T05:39:34.614000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 197, "hostname": 3 }, "indicator_count": 237, "is_author": false, "is_subscribing": null, "subscriber_count": 386941, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68babf81ce8dc0a40f7d42f5", "name": "New Botnet Emerges from the Shadows: NightshadeC2", "description": "A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.", "modified": "2025-10-05T10:00:42.432000", "created": "2025-09-05T10:46:25.485000", "tags": [ "c2 communication", "trojanized software", "uac bypass", "nightshadec2", "lumma stealer", "sandbox evasion", "keylogging", "botnet" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 18, "FileHash-SHA256": 32, "domain": 10, "hostname": 1 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 386942, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac2642b673dec0dddec05", "name": "EbeeDec2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:08:52.083000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "yara" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "DragonForce Next.js RCE exploitation, 01flip ransomware, MetaRAT, LLM in an attack using PureCrypter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 147, "FileHash-SHA256": 152, "CIDR": 1, "CVE": 6, "URL": 56, "domain": 261, "hostname": 24 }, "indicator_count": 794, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69399a5c1f618fc7b165283a", "name": "GrayBravos CastleLoader Activity Clusters Target Multiple Industries", "description": "GrayBravo, a sophisticated threat actor previously tracked as TAG-150, operates a malware-as-a-service (MaaS) model that includes the development and deployment of multiple malware families, notably CastleLoader, CastleBot, and the newly discovered CastleRAT. Recent insights have uncovered four distinct clusters of activities associated with CastleLoader, each characterized by unique tactics, techniques, procedures (TTPs), and victim profiles, indicating the threat actor's adaptability and extensive infrastructure.\n\nThe first cluster, identified as TAG-160, focuses on the logistics sector, where GrayBravo deploys phishing lures impersonating logistics firms. This cluster utilizes the ClickFix technique to distribute CastleLoader while simulating legitimate emails. It has also exploited vulnerabilities in targeted organizations' systems, enhancing deception by spoofing email addresses of established logistics companies, and utilized freight-matching platforms to engage potential victims.", "modified": "2026-01-09T16:01:19.286000", "created": "2025-12-10T16:05:48.142000", "tags": [ "cloudflare", "homenet", "externalnet", "mgut", "ta0011", "found", "google", "na na", "cluster", "future", "malware", "execution", "accept", "sping", "copy" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Education", "Technology", "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 1, "YARA": 3, "domain": 189, "hostname": 1 }, "indicator_count": 242, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693913f91a80f37e91aa9622", "name": "IOC - GrayBravo\u2019s CastleLoader Activity Clusters Target Multiple Industries", "description": "", "modified": "2026-01-08T05:01:43.215000", "created": "2025-12-10T06:32:25.453000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "6937b6169bd435b2e3a0787e", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 198, "hostname": 3 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693a481871431faf92590b25", "name": "CastleLoader Activity Clusters Target Multiple Industries", "description": "", "modified": "2026-01-08T05:01:43.215000", "created": "2025-12-11T04:27:04.251000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "6937b6169bd435b2e3a0787e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 198, "hostname": 3 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bf862c1478abb8bc3b7e19", "name": "IOC - New Botnet Emerges from the Shadows: NightshadeC2", "description": "In August 2025, eSentire's Threat Response Unit (TRU) identified a new botnet, tracked as \"NightshadeC2,\" which is being deployed via a loader that employs a simple yet highly effective technique to bypass malware analysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as \u201cUAC Prompt Bombing\u201d.\n\nTRU has observed both C and Python-based variants that communicate with an unidentified Command and Control (C2) framework. The C variant primarily communicates over TCP ports 7777, 33336, 33337, and 443, whereas Python variants predominantly utilize TCP port 80.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:43:08.382000", "tags": [ "c variant", "python variant", "redacted", "powershell", "ip lookup", "backdoor", "advanced ip", "scanner", "nightshade c", "hkcuenvironment", "python" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 32, "URL": 2, "domain": 10 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68be44aa19b22417f7fa1f2e", "name": "IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure", "description": "Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.", "modified": "2025-10-08T02:04:08.021000", "created": "2025-09-08T02:51:22.530000", "tags": [ "sha256", "as62904", "corporation", "warmcookie c2", "ip address", "castleloader c2", "samples", "variant samples", "seen", "as214351", "future", "python" ], "references": [ "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 50, "URL": 1, "domain": 16, "hostname": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bb29155a70ce68c05e982a", "name": "ioc block", "description": "Hundreds of people have been commenting on the latest developments in the world's largest online community, which are being discussed with a wide range of experts.. and their opinions are as diverse as they are.", "modified": "2025-10-05T18:01:09.375000", "created": "2025-09-05T18:16:53.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 24, "URL": 1, "domain": 6 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c428aa8f8368058224d48d", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:30.735000", "created": "2025-09-12T14:05:30.735000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c4289a71de45a237b2dd90", "name": "TAG-150\u2019s CastleRAT Emerges: Advanced Stealth and Persistence Tactics", "description": "", "modified": "2025-09-12T14:05:14.514000", "created": "2025-09-12T14:05:14.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 48, "FileHash-SHA1": 48, "FileHash-SHA256": 48, "domain": 12, "hostname": 1 }, "indicator_count": 157, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "263 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/", "Book2.csv", "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2", "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries", "Sep week2.pdf" ], "related": { "alienvault": { "adversary": [ "GrayBravo" ], "malware_families": [ "Sectoprat", "Warmcookie", "Castlerat", "Castlebot", "Castleloader", "Netsupport rat", "Matanbuchus" ], "industries": [ "Transportation", "Hospitality", "Logistics" ] }, "other": { "adversary": [ "GrayBravo", "DragonForce Next.js RCE exploitation, 01flip ransomware, MetaRAT, LLM in an attack using PureCrypter", "Multiple" ], "malware_families": [ "Sectoprat", "Warmcookie", "Castlerat", "Castlebot", "Castleloader", "Netsupport rat", "Matanbuchus" ], "industries": [ "Technology", "Transportation", "Education", "Hospitality", "Logistics" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6937b6169bd435b2e3a0787e", "name": "CastleLoader Activity Clusters Target Multiple Industries", "description": "Insikt Group has identified four distinct activity clusters associated with GrayBravo's CastleLoader malware, each with unique tactics and victim profiles. This supports the assessment that GrayBravo operates a malware-as-a-service model. One cluster, TAG-160, impersonates logistics firms and uses phishing lures with the ClickFix technique to distribute CastleLoader. Another cluster, TAG-161, impersonates Booking.com and employs similar techniques. The analysis also uncovered potential links to the online persona \"Sparja\" and the broader cybercriminal ecosystem. GrayBravo demonstrates rapid evolution, technical sophistication, and adaptability in response to public exposure. The report recommends various security measures to defend against these threats.", "modified": "2026-03-06T09:29:55.184000", "created": "2025-12-09T05:39:34.614000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 52, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 197, "hostname": 3 }, "indicator_count": 237, "is_author": false, "is_subscribing": null, "subscriber_count": 386941, "modified_text": "88 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68babf81ce8dc0a40f7d42f5", "name": "New Botnet Emerges from the Shadows: NightshadeC2", "description": "A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.", "modified": "2025-10-05T10:00:42.432000", "created": "2025-09-05T10:46:25.485000", "tags": [ "c2 communication", "trojanized software", "uac bypass", "nightshadec2", "lumma stealer", "sandbox evasion", "keylogging", "botnet" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 18, "FileHash-SHA256": 32, "domain": 10, "hostname": 1 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 386942, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693ac2642b673dec0dddec05", "name": "EbeeDec2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T13:08:52.083000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "yara" ], "references": [ "Book2.csv" ], "public": 1, "adversary": "DragonForce Next.js RCE exploitation, 01flip ransomware, MetaRAT, LLM in an attack using PureCrypter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 147, "FileHash-SHA1": 147, "FileHash-SHA256": 152, "CIDR": 1, "CVE": 6, "URL": 56, "domain": 261, "hostname": 24 }, "indicator_count": 794, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "143 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69399a5c1f618fc7b165283a", "name": "GrayBravos CastleLoader Activity Clusters Target Multiple Industries", "description": "GrayBravo, a sophisticated threat actor previously tracked as TAG-150, operates a malware-as-a-service (MaaS) model that includes the development and deployment of multiple malware families, notably CastleLoader, CastleBot, and the newly discovered CastleRAT. Recent insights have uncovered four distinct clusters of activities associated with CastleLoader, each characterized by unique tactics, techniques, procedures (TTPs), and victim profiles, indicating the threat actor's adaptability and extensive infrastructure.\n\nThe first cluster, identified as TAG-160, focuses on the logistics sector, where GrayBravo deploys phishing lures impersonating logistics firms. This cluster utilizes the ClickFix technique to distribute CastleLoader while simulating legitimate emails. It has also exploited vulnerabilities in targeted organizations' systems, enhancing deception by spoofing email addresses of established logistics companies, and utilized freight-matching platforms to engage potential victims.", "modified": "2026-01-09T16:01:19.286000", "created": "2025-12-10T16:05:48.142000", "tags": [ "cloudflare", "homenet", "externalnet", "mgut", "ta0011", "found", "google", "na na", "cluster", "future", "malware", "execution", "accept", "sping", "copy" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1586.002", "name": "Email Accounts", "display_name": "T1586.002 - Email Accounts" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" } ], "industries": [ "Education", "Technology", "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "URL": 1, "YARA": 3, "domain": 189, "hostname": 1 }, "indicator_count": 242, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693913f91a80f37e91aa9622", "name": "IOC - GrayBravo\u2019s CastleLoader Activity Clusters Target Multiple Industries", "description": "", "modified": "2026-01-08T05:01:43.215000", "created": "2025-12-10T06:32:25.453000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "6937b6169bd435b2e3a0787e", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 198, "hostname": 3 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693a481871431faf92590b25", "name": "CastleLoader Activity Clusters Target Multiple Industries", "description": "", "modified": "2026-01-08T05:01:43.215000", "created": "2025-12-11T04:27:04.251000", "tags": [ "logistics", "castlerat", "castlebot", "phishing", "castleloader", "malware-as-a-service", "clickfix", "booking.com", "netsupport rat", "sectoprat", "warmcookie", "matanbuchus" ], "references": [ "https://www.recordedfuture.com/research/graybravos-castleloader-activity-clusters-target-multiple-industries" ], "public": 1, "adversary": "GrayBravo", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "CastleLoader", "display_name": "CastleLoader", "target": null }, { "id": "CastleRAT", "display_name": "CastleRAT", "target": null }, { "id": "Matanbuchus", "display_name": "Matanbuchus", "target": null }, { "id": "CastleBot", "display_name": "CastleBot", "target": null }, { "id": "SecTopRAT", "display_name": "SecTopRAT", "target": null }, { "id": "WarmCookie", "display_name": "WarmCookie", "target": null }, { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [], "industries": [ "Logistics", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": "6937b6169bd435b2e3a0787e", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 9, "FileHash-SHA256": 17, "URL": 6, "domain": 198, "hostname": 3 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "145 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bff3e33540d09bd27e7c8c", "name": "EbeeSep2025 Pt2", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-09T09:31:15.081000", "tags": [], "references": [ "Sep week2.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 175, "FileHash-SHA1": 165, "FileHash-SHA256": 382, "domain": 75, "hostname": 17, "FilePath": 4, "URL": 17 }, "indicator_count": 835, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bf862c1478abb8bc3b7e19", "name": "IOC - New Botnet Emerges from the Shadows: NightshadeC2", "description": "In August 2025, eSentire's Threat Response Unit (TRU) identified a new botnet, tracked as \"NightshadeC2,\" which is being deployed via a loader that employs a simple yet highly effective technique to bypass malware analysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as \u201cUAC Prompt Bombing\u201d.\n\nTRU has observed both C and Python-based variants that communicate with an unidentified Command and Control (C2) framework. The C variant primarily communicates over TCP ports 7777, 33336, 33337, and 443, whereas Python variants predominantly utilize TCP port 80.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:43:08.382000", "tags": [ "c variant", "python variant", "redacted", "powershell", "ip lookup", "backdoor", "advanced ip", "scanner", "nightshade c", "hkcuenvironment", "python" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 32, "URL": 2, "domain": 10 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68be44aa19b22417f7fa1f2e", "name": "IOC - From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure", "description": "Insikt Group has identified a new threat actor, TAG-150, active since at least March 2025, characterized by rapid development, technical sophistication, responsiveness to public reporting, and a large, evolving infrastructure. The infrastructure linked to TAG-150 includes both victim-facing Tier 1 components, such as IP addresses and domains used as command-and-control (C2) servers for multiple malware families, and higher-tier infrastructure composed of multiple layers. Since emerging in March 2025, TAG-150 has deployed multiple likely self-developed malware families, starting with CastleLoader and CastleBot, and most recently CastleRAT, a remote access trojan documented here for the first time. Additionally, Insikt Group has identified multiple services likely leveraged by TAG-150, including file-sharing platforms, anti-detection services, and others.", "modified": "2025-10-08T02:04:08.021000", "created": "2025-09-08T02:51:22.530000", "tags": [ "sha256", "as62904", "corporation", "warmcookie c2", "ip address", "castleloader c2", "samples", "variant samples", "seen", "as214351", "future", "python" ], "references": [ "https://www.theregister.com/2025/09/05/clickfix_castlerat_malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 50, "URL": 1, "domain": 16, "hostname": 2 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "237 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bb29155a70ce68c05e982a", "name": "ioc block", "description": "Hundreds of people have been commenting on the latest developments in the world's largest online community, which are being discussed with a wide range of experts.. and their opinions are as diverse as they are.", "modified": "2025-10-05T18:01:09.375000", "created": "2025-09-05T18:16:53.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 24, "URL": 1, "domain": 6 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "programsbookss.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "programsbookss.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780424161.049341 }