{ "type": "Domain", "indicator": "pstatics.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pstatics.com", "alexa": "http://www.alexa.com/siteinfo/pstatics.com", "indicator": "pstatics.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4131120037, "indicator": "pstatics.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cab3708706152ca1a69388", "name": "IBCART & TSOC Alerts", "description": "", "modified": "2025-10-17T13:01:09.510000", "created": "2025-09-17T13:11:12.219000", "tags": [ "bakery desotta thanjavur", "cakes in thanjavur", "bakery in thanjavur", "cake shops in thanjavur", "order", "fresh cream", "tier cake", "black forest", "cakes order", "cake order", "cream cakes", "white forest", "barbie cake", "photo cakes", "cakes", "sweet", "contact", "resume", "june", "template", "templates free", "jeane", "read more", "free", "social media", "google slides", "free website", "christmas" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 1, "FileHash-MD5": 581, "FileHash-SHA1": 135, "FileHash-SHA256": 193, "URL": 43, "domain": 96, "hostname": 211 }, "indicator_count": 1260, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cab68925d63a78f9a991e2", "name": "IBCART & TSOC indicators", "description": "", "modified": "2025-10-17T13:01:09.510000", "created": "2025-09-17T13:24:25.813000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 15, "FileHash-SHA256": 18, "URL": 17, "domain": 44, "hostname": 60 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c93298b78576f61e2ab935", "name": "Twitter Feed - sdcyberresearch - 15-09-2025", "description": "", "modified": "2025-09-16T09:49:12.436000", "created": "2025-09-16T09:49:12.436000", "tags": [ "Magecart" ], "references": [ "https://x.com/sdcyberresearch/status/1967530667019010127" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "URL": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/sdcyberresearch/status/1967530667019010127", "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Magecart" ], "malware_families": [ "Magecart" ], "industries": [ "Ecommerce" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68cd3e87c34598454648d266", "name": "Magecart Skimmer Analysis: From One Tweet to a Campaign.", "description": "Recent investigations into Magecart campaigns have revealed a sophisticated approach to malicious JavaScript injection aimed at skimming payment data from compromised ecommerce websites. The analysis began with an initial observation from a single tweet referencing the potential involvement of a Magecart-style operation specifically targeting http://cc-analytics.com. This prompted further inquiry into the methods used by threat actors.\n\nKey to understanding the attack technique was the deobfuscation of malicious scripts. Analysts utilized a debugging method by prefixing the script with \"debugger;\" and executing it in browser developer tools. Additionally, they employed Python to decode the obfuscated strings, which utilized hexadecimal values and \\x representations, thereby simplifying the extraction of relevant content.", "modified": "2025-10-19T11:00:08.739000", "created": "2025-09-19T11:29:11.054000", "tags": [ "urlscan", "point", "debugger", "python trick", "python", "collect credit", "process my", "dom reference", "ip address", "magecart" ], "references": [ "https://blog.himanshuanand.com/posts/15-09-2025-magecart-skimmer-analysis/" ], "public": 1, "adversary": "Magecart", "targeted_countries": [], "malware_families": [ { "id": "Magecart", "display_name": "Magecart", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" } ], "industries": [ "Ecommerce" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "domain": 15, "hostname": 27 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "224 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cab3708706152ca1a69388", "name": "IBCART & TSOC Alerts", "description": "", "modified": "2025-10-17T13:01:09.510000", "created": "2025-09-17T13:11:12.219000", "tags": [ "bakery desotta thanjavur", "cakes in thanjavur", "bakery in thanjavur", "cake shops in thanjavur", "order", "fresh cream", "tier cake", "black forest", "cakes order", "cake order", "cream cakes", "white forest", "barbie cake", "photo cakes", "cakes", "sweet", "contact", "resume", "june", "template", "templates free", "jeane", "read more", "free", "social media", "google slides", "free website", "christmas" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 1, "FileHash-MD5": 581, "FileHash-SHA1": 135, "FileHash-SHA256": 193, "URL": 43, "domain": 96, "hostname": 211 }, "indicator_count": 1260, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68cab68925d63a78f9a991e2", "name": "IBCART & TSOC indicators", "description": "", "modified": "2025-10-17T13:01:09.510000", "created": "2025-09-17T13:24:25.813000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Abinsiby12345", "id": "358730", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 363, "FileHash-SHA1": 15, "FileHash-SHA256": 18, "URL": 17, "domain": 44, "hostname": 60 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c93298b78576f61e2ab935", "name": "Twitter Feed - sdcyberresearch - 15-09-2025", "description": "", "modified": "2025-09-16T09:49:12.436000", "created": "2025-09-16T09:49:12.436000", "tags": [ "Magecart" ], "references": [ "https://x.com/sdcyberresearch/status/1967530667019010127" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "URL": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "257 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pstatics.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pstatics.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780258539.1201253 }