{ "type": "Domain", "indicator": "pubstorm.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pubstorm.net", "alexa": "http://www.alexa.com/siteinfo/pubstorm.net", "indicator": "pubstorm.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4128800700, "indicator": "pubstorm.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "690b1b175f4f05eaf8f6c0e0", "name": "CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE", "description": "The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.", "modified": "2025-12-05T09:00:38.044000", "created": "2025-11-05T09:38:31.645000", "tags": [ "cve-2025-61882", "cve-2023-0669", "cyclops blink", "cryptomix", "infrastructure", "oracle ebs", "cve-2023-34362", "ransomware", "fingerprints", "ip addresses", "network analysis" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "Clop", "targeted_countries": [ "Germany", "Brazil", "Panama", "Russian Federation", "Netherlands", "United States of America", "Canada" ], "malware_families": [ { "id": "Cyclops Blink - S0687", "display_name": "Cyclops Blink - S0687", "target": null }, { "id": "CryptoMix", "display_name": "CryptoMix", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology", "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 387021, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690cab125d637500bd002d48", "name": "CLOP RANSOMWARE: DISSECTING NETWORK", "description": "Clop ransomware, operating since early 2019, has infiltrated a range of corporate and private networks, with estimated extortion profits exceeding $500 million. Originating from a group believed to be based in Russia, Clop avoids targeting Commonwealth of Independent States (CIS) countries. This ransomware variant is considered a successor to CryptoMix ransomware, which emerged in 2016. A notable technical aspect of Clop's operations includes the exploitation of vulnerabilities such as CVE-2025-61882, an Oracle E-Business Suite zero-day exploit that came to light in June 2025. This specific attack method underscores Clop's sophisticated approach to leveraging emerging CVEs for network infiltration. Analysis of Clop's network reveals a trend in IP usage, with Germany, Brazil, Panama, and Hong Kong being prominent sources. Out of 96 identified IPs associated with Clop, 41 subnet IPs have been reused, indicating a systematic approach to infrastructure.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T14:05:06.749000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "suite", "june", "path", "cryptomix" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Lebanon", "Iran, Islamic Republic of", "Azerbaijan" ], "malware_families": [ { "id": "CryptoMix", "display_name": "CryptoMix", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 12, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690981f1bb64d70b9843c1d6", "name": "CLOP RANSOMWARE: DISSECTING NETWORK: THE RAVEN FILE", "description": "Found strong indicators of Clop Ransomware which had been used in 2023 Exploits by the Group!\n\nIn-depth analysis of Clop (cl0p) ransomware\u2019s current network infrastructure, mapping 96 IPs across 20+ countries. Reveals 77.8% subnet reuse, persistent C2 fingerprints from 2023 MOVEit attacks, and active exploitation of Oracle EBS zero-day (CVE-2025-61882). Includes high-confidence IOCs, leak domains, and defender guidance.", "modified": "2025-12-04T04:04:50.506000", "created": "2025-11-04T04:32:49.244000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "facebook", "ransomware", "zeroday", "0day", "darkweb" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0ec82c5bf753d95843c4f", "name": "IOC - Uncovering ALVIVA HOLDING: Links to Russian Shell Companies and Cybercrime", "description": "This is an Investigative Report on how the most malicious hosting provider is linked to a Shell Company registered in Seychelles \ud83c\uddf8\ud83c\udde8. This article will not cover Ransomware Analysis, but will focus purely on the incriminating evidence emanating from this case study as we unravel the further Investigation.", "modified": "2025-10-10T03:03:06.848000", "created": "2025-09-10T03:12:02.783000", "tags": [], "references": [ "https://theravenfile.com/2025/09/08/uncovering-alviva-holding-links-to-russian-shell-companies-and-cybercrime/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Nov.Week1.pdf", "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/", "https://theravenfile.com/2025/09/08/uncovering-alviva-holding-links-to-russian-shell-companies-and-cybercrime/" ], "related": { "alienvault": { "adversary": [ "Clop" ], "malware_families": [ "Cryptomix", "Cyclops blink - s0687" ], "industries": [ "Government", "Technology", "Finance" ] }, "other": { "adversary": [ "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter" ], "malware_families": [ "Cryptomix", "Clop" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "690b1b175f4f05eaf8f6c0e0", "name": "CLOP RANSOMWARE: DISSECTING NETWORK - THE RAVEN FILE", "description": "The report analyzes the network infrastructure used by the Clop ransomware group, focusing on their exploitation of CVE-2025-61882 in Oracle EBS. It identifies 96 IP addresses associated with a specific fingerprint, with Germany, Brazil, and Panama being prominent locations. The analysis reveals significant overlap with IP subnets used in previous Clop attacks, including the MOVit and FORTRA Go-Anywhere exploits. The report highlights the group's tendency to reuse infrastructure and their shift away from Russian IPs. It also provides high-confidence fingerprints and subnet patterns associated with Clop operations, offering insights into their attack methodology and infrastructure preferences.", "modified": "2025-12-05T09:00:38.044000", "created": "2025-11-05T09:38:31.645000", "tags": [ "cve-2025-61882", "cve-2023-0669", "cyclops blink", "cryptomix", "infrastructure", "oracle ebs", "cve-2023-34362", "ransomware", "fingerprints", "ip addresses", "network analysis" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "Clop", "targeted_countries": [ "Germany", "Brazil", "Panama", "Russian Federation", "Netherlands", "United States of America", "Canada" ], "malware_families": [ { "id": "Cyclops Blink - S0687", "display_name": "Cyclops Blink - S0687", "target": null }, { "id": "CryptoMix", "display_name": "CryptoMix", "target": null } ], "attack_ids": [ { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Technology", "Finance", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 387021, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690cab125d637500bd002d48", "name": "CLOP RANSOMWARE: DISSECTING NETWORK", "description": "Clop ransomware, operating since early 2019, has infiltrated a range of corporate and private networks, with estimated extortion profits exceeding $500 million. Originating from a group believed to be based in Russia, Clop avoids targeting Commonwealth of Independent States (CIS) countries. This ransomware variant is considered a successor to CryptoMix ransomware, which emerged in 2016. A notable technical aspect of Clop's operations includes the exploitation of vulnerabilities such as CVE-2025-61882, an Oracle E-Business Suite zero-day exploit that came to light in June 2025. This specific attack method underscores Clop's sophisticated approach to leveraging emerging CVEs for network infiltration. Analysis of Clop's network reveals a trend in IP usage, with Germany, Brazil, Panama, and Hong Kong being prominent sources. Out of 96 identified IPs associated with Clop, 41 subnet IPs have been reused, indicating a systematic approach to infrastructure.", "modified": "2025-12-06T13:02:41.371000", "created": "2025-11-06T14:05:06.749000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "suite", "june", "path", "cryptomix" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [ "Russian Federation", "Lebanon", "Iran, Islamic Republic of", "Azerbaijan" ], "malware_families": [ { "id": "CryptoMix", "display_name": "CryptoMix", "target": null }, { "id": "Clop", "display_name": "Clop", "target": null } ], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 12, "domain": 7 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "178 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "179 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "690981f1bb64d70b9843c1d6", "name": "CLOP RANSOMWARE: DISSECTING NETWORK: THE RAVEN FILE", "description": "Found strong indicators of Clop Ransomware which had been used in 2023 Exploits by the Group!\n\nIn-depth analysis of Clop (cl0p) ransomware\u2019s current network infrastructure, mapping 96 IPs across 20+ countries. Reveals 77.8% subnet reuse, persistent C2 fingerprints from 2023 MOVEit attacks, and active exploitation of Oracle EBS zero-day (CVE-2025-61882). Includes high-confidence IOCs, leak domains, and defender guidance.", "modified": "2025-12-04T04:04:50.506000", "created": "2025-11-04T04:32:49.244000", "tags": [ "cl0p", "group", "clop", "russia", "exploit", "fingerprint", "panama", "movit exploit", "research", "facebook", "ransomware", "zeroday", "0day", "darkweb" ], "references": [ "https://theravenfile.com/2025/11/04/clop-ransomware-dissecting-network/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 12, "URL": 1, "domain": 7 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "181 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68c0ec82c5bf753d95843c4f", "name": "IOC - Uncovering ALVIVA HOLDING: Links to Russian Shell Companies and Cybercrime", "description": "This is an Investigative Report on how the most malicious hosting provider is linked to a Shell Company registered in Seychelles \ud83c\uddf8\ud83c\udde8. This article will not cover Ransomware Analysis, but will focus purely on the incriminating evidence emanating from this case study as we unravel the further Investigation.", "modified": "2025-10-10T03:03:06.848000", "created": "2025-09-10T03:12:02.783000", "tags": [], "references": [ "https://theravenfile.com/2025/09/08/uncovering-alviva-holding-links-to-russian-shell-companies-and-cybercrime/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pubstorm.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pubstorm.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780467846.0278828 }