{ "type": "Domain", "indicator": "pulseadnetwork.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pulseadnetwork.com", "alexa": "http://www.alexa.com/siteinfo/pulseadnetwork.com", "indicator": "pulseadnetwork.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4043722937, "indicator": "pulseadnetwork.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1253b80afb273a203dc37", "name": "Unsigned \"Everything Installer\"", "description": "The full text of the Microsoft Visual C/C++ executable (EXE32) has been published on the website, and here is the full list of highlights::., as well as the following:", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T05:01:47.524000", "tags": [ "compiler", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 installer", "exe32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 10, "FileHash-SHA256": 104, "hostname": 13, "domain": 26, "URL": 9, "CVE": 2, "email": 2 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a145ba89a2b4af5a0aa721", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:26.222000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 33, "hostname": 29, "FileHash-SHA256": 91, "FileHash-MD5": 1, "FileHash-SHA1": 20, "CVE": 14, "email": 1 }, "indicator_count": 280, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1535debec4128ab952040", "name": "I See You, Too. #.icu", "description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T08:18:37.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 294, "CVE": 22, "URL": 278, "FileHash-MD5": 234, "FileHash-SHA1": 240, "FileHash-SHA256": 1663, "hostname": 142, "YARA": 1, "email": 13, "CIDR": 2 }, "indicator_count": 2889, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a190a3adfa1c2ce3a67f45", "name": "HijackLoader: Free Games, Costly Consequences, and Loads of Malware", "description": "A team of researchers has uncovered a new form of malware, known as the \u201cHijackLoader\u201d and how it has turned a popular Spanish gaming platform into an opportunity for cybercriminals.", "modified": "2026-02-27T12:40:03.521000", "created": "2026-02-27T12:40:03.521000", "tags": [ "hijackloader", "api hashing", "crc32", "sm entry", "ntdll", "antivm module", "copylist", "allusersprofile", "xor key", "payload" ], "references": [ "https://blog.gdatasoftware.com/2026/02/38373-pivigames-spreads-hijackloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "92 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce59175307b6d7f03c6", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:33.594000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca39006b50993d4ba19927", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:08:32.097000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ca394df02a68ad4f8bdd44", "name": "InQuest - 06-03-2025", "description": "", "modified": "2025-04-06T00:01:42.553000", "created": "2025-03-07T00:09:49.679000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 597, "FileHash-SHA1": 84, "URL": 688, "hostname": 142, "domain": 209, "FileHash-MD5": 82 }, "indicator_count": 1802, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.gdatasoftware.com/2026/02/38373-pivigames-spreads-hijackloader", "https://labs.inquest.net/iocdb", "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "[Unnamed group]" ], "malware_families": [ "Netsupport", "Lumma" ], "industries": [ "Government", "Information technology", "Higher education", "Telecommunications", "Defense", "Energy", "Social engineering", "Oil and gas", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69a02837827feb0b78fa3ad2", "name": "The Belasco Chain", "description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.", "modified": "2026-05-31T01:02:14", "created": "2026-02-26T11:02:15.932000", "tags": [ "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "file type", "sha1", "sha256", "crc32", "filenames c" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2813, "FileHash-SHA1": 2576, "FileHash-SHA256": 8145, "domain": 1903, "hostname": 1502, "URL": 1359, "email": 46, "CVE": 54, "CIDR": 3, "YARA": 7, "JA3": 1, "IPv4": 11 }, "indicator_count": 18420, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "10 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1253b80afb273a203dc37", "name": "Unsigned \"Everything Installer\"", "description": "The full text of the Microsoft Visual C/C++ executable (EXE32) has been published on the website, and here is the full list of highlights::., as well as the following:", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T05:01:47.524000", "tags": [ "compiler", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "pe32 installer", "exe32" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 10, "FileHash-SHA256": 104, "hostname": 13, "domain": 26, "URL": 9, "CVE": 2, "email": 2 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a145ba89a2b4af5a0aa721", "name": "Credential Stuffing & C2 Config: AREK-BTC Variant (Zeppelin-Linked)", "description": "IoCs for 83hcm-eadaebdbd / BF_BIND_STUFF Campaign\n[CONFIG_START]\nVERSION: 4.2.1-NSV4\nSERVER_HOST: akamaihd.net/eum/results.txt\nAUTH_KEY: 83hcm-eadaebdbd\nTARGET_LIST: /nests/stuffed_cred_v4.db\nACTION: BF_BIND_STUFF\nRETRY_LIMIT: 400\nLOG_PATH: /tmp/results_log.txt\n[PAYLOAD_REDIRECTS]\nURL1: https://formsv.nycourts.gov...\nURL2: https://caneidhelp.miami.edu...\nURL3: https://www.americanexpress.com...\n[USER_AGENT_SPOOF]\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n[END_CONFIG]", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T07:20:26.222000", "tags": [ "configstart", "version", "authkey", "url1", "useragentspoof", "windows nt", "win64", "endconfig" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 91, "domain": 33, "hostname": 29, "FileHash-SHA256": 91, "FileHash-MD5": 1, "FileHash-SHA1": 20, "CVE": 14, "email": 1 }, "indicator_count": 280, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a1535debec4128ab952040", "name": "I See You, Too. #.icu", "description": "The NSV4-ICU campaign exhibits a profound cryptographic and linguistic mismatch betokening a Western operator driving a foreign engine. While the tactical codebase utilizes GBK-encoded (Simplified Chinese) metadata, the binary logs reveal a definitive tradecraft failure: the presence of \u00ba\u00c3\u00b0\u00c9 (H\u01ceo ba), a conversational \"Alrighty.\" This is likely a failed attempt to utilize a foreign language on a Western-localized screen, resulting in \"Mojibake\" (garbage text) and the semantic error of identifying the developer as a \"Novelist\" (Zu\u00f2zh\u011b) rather than a \"Programmer.\"\nBy stripping Western UTF-8 telemetry through spoofed Nashville (BNA) and Apple/Google thumbprints, the operator confirms Local Root CA injection and a manual interception pipeline. The .icu (I See You) signature is ultimately undermined by the operator's own metadata\u2014effectively a Westerner shouting in a digital dialect they don't speak, creating a detectable encoding-latency signature that peels back the \"invisible typhoon\" mask.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T08:18:37.071000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 294, "CVE": 22, "URL": 278, "FileHash-MD5": 234, "FileHash-SHA1": 240, "FileHash-SHA256": 1663, "hostname": 142, "YARA": 1, "email": 13, "CIDR": 2 }, "indicator_count": 2889, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a185462e3c17c346bcdf79", "name": "The Trans-Pacific Mesh & Starfield Pipeline Subversion", "description": "The September 26, 2025, shadow renewal and the May 2, 2025, certificate issuance (925a10) confirm an advanced architectural alignment targeting the Hillsboro \"Silicon Forest\" ring and the TallComponents (.NET) document pipeline. By nesting an unauthorized clientAuth extension within a legitimate Starfield (Mesh Digital) signature, the operative successfully bridged the gap between web traffic and hardware-level telematics.\nThis campaign weaponized the 159,942 Majestic Trust Flow to validate a Serial 1 SOA shadow zone, neutralizing filters while executing ASP.NET Core (Kestrel) request smuggling via the 13.32.205.51 node. This subversion is evidenced by the 60-second TTL oscillation of 3.169.202.x clusters, creating a detectable \"fast-flux\" latency at the HIO52 (Hillsboro) edge. Finally, the Mesh Digital registrant pivot to hex-encoded 34326... and 1f8f41... identifiers secures the Tallfield Pipeline\u2014a hijacked Azure-hosted backend for identity packaging of Amex and UGA credentials.", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-27T11:51:34.696000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 710, "URL": 355, "hostname": 252, "CVE": 4, "CIDR": 6, "FileHash-MD5": 615, "FileHash-SHA1": 585, "email": 21, "FileHash-SHA256": 4316, "SSLCertFingerprint": 2 }, "indicator_count": 6866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a190a3adfa1c2ce3a67f45", "name": "HijackLoader: Free Games, Costly Consequences, and Loads of Malware", "description": "A team of researchers has uncovered a new form of malware, known as the \u201cHijackLoader\u201d and how it has turned a popular Spanish gaming platform into an opportunity for cybercriminals.", "modified": "2026-02-27T12:40:03.521000", "created": "2026-02-27T12:40:03.521000", "tags": [ "hijackloader", "api hashing", "crc32", "sm entry", "ntdll", "antivm module", "copylist", "allusersprofile", "xor key", "payload" ], "references": [ "https://blog.gdatasoftware.com/2026/02/38373-pivigames-spreads-hijackloader" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Sand-Storm", "id": "94093", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_94093/resized/80/avatar_281f69b768.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 4, "URL": 2, "domain": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 413, "modified_text": "92 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d06409e03b19fb2eb737c5", "name": "Malvertising Campaign Leads to Info Stealers Hosted on GitHub", "description": "In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.", "modified": "2025-04-10T16:02:20.978000", "created": "2025-03-11T16:25:45.654000", "tags": [ "url https", "ip address", "indicator type", "type https", "filename sha256", "c2s indicator", "domain", "urls indicator", "url indicator", "indicator", "powershell", "autoit" ], "references": [], "public": 1, "adversary": "[Unnamed group]", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dylanroth7", "id": "285032", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "FileHash-MD5": 75, "FileHash-SHA1": 85, "FileHash-SHA256": 110, "domain": 58, "hostname": 2 }, "indicator_count": 387, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cba2c76268444d82d2d9ab", "name": "One Million Devices Impacted by Infostealer Campaign", "description": "A sophisticated cyber campaign ran by the threat group called Storm-0408 has\ncompromised about one devices to deploy malicious payloads.", "modified": "2025-04-07T01:00:24.947000", "created": "2025-03-08T01:52:07.443000", "tags": [ "domain", "url https", "indicator", "file name", "filename sha256", "certificate", "githubhosted", "secondstage", "c2s indicator", "type", "powershell", "ip address", "type http", "c2 http", "computer", "c2 fourthstage", "url fourthstage", "indicator type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 58, "URL": 57, "hostname": 2, "FileHash-MD5": 35, "FileHash-SHA1": 46, "FileHash-SHA256": 109 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb8afb5b6010855bdd027f", "name": "InQuest - 07-03-2025", "description": "", "modified": "2025-04-07T00:03:06.367000", "created": "2025-03-08T00:10:35.322000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 655, "FileHash-SHA1": 27, "URL": 476, "hostname": 84, "domain": 129, "FileHash-MD5": 27 }, "indicator_count": 1398, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "419 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cacce2ff28f3af5baa75bc", "name": "Malvertising campaign leads to info stealers hosted on GitHub | Microsoft Security Blog", "description": "Microsoft Security is a comprehensive and comprehensive guide to the company's products, services and services, as well as an analysis and analysis of how they might be used to steal information from users.", "modified": "2025-04-06T10:00:27.717000", "created": "2025-03-07T10:39:30.563000", "tags": [ "ipaddress", "timestamp", "table", "additionalinfo", "project", "github", "timegenerated", "microsoft", "useragent", "powershell", "autoit", "lumma stealer", "defender", "path", "discord", "doenerium", "nsis", "encrypt", "psexec", "service", "suspicious", "anomaly", "sentinel", "twitter", "lumma", "netsupport" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Information Technology", "Technology", "Defense", "Telecommunications", "Higher Education", "Energy", "Oil And Gas", "Social Engineering" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 59, "FileHash-MD5": 41, "FileHash-SHA1": 47, "FileHash-SHA256": 112, "domain": 59, "hostname": 2 }, "indicator_count": 320, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "420 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pulseadnetwork.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pulseadnetwork.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780225823.8002949 }