{ "type": "Domain", "indicator": "questwitch.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/questwitch.com", "alexa": "http://www.alexa.com/siteinfo/questwitch.com", "indicator": "questwitch.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2119494594, "indicator": "questwitch.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "5d2db9cc8e1eb4d4d4be15e5", "name": "Fancy Bear Phishing", "description": "One domain targets a Singapore-based investment firm, and another references the Berlin anti-corruption organization Transparency International, which Russia has targeted before. Others are generic or ambiguous in their targeting. But one seized domain, soros-my-sharepoint[.]com, jumps out as a clear reference to Soros, a past GRU target from Russia\u2019s 2016 election interference. \n\nAn additional four phishing domains registered in the same time frame appear to target Soros Open Society Foundations, said Kyle Ehmke, an intelligence researcher at the Arlington, Virginia-based cybersecurity firm ThreatConnect. Those domains haven\u2019t been seized and ThreatConnect hasn\u2019t found enough evidence to definitively link them to the Russian hackers, said Ehmke.", "modified": "2019-07-18T13:59:18.346000", "created": "2019-07-16T11:49:32.033000", "tags": [ "gru", "fancy bear", "russia" ], "references": [ "https://twitter.com/kyleehmke/status/1150834700069552130", "https://twitter.com/kyleehmke/status/1136333242032959488", "https://twitter.com/kyleehmke/status/1151845729855582211" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "United States" ], "malware_families": [], "attack_ids": [], "industries": [ "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1, "URL": 2, "email": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386992, "modified_text": "2511 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://twitter.com/kyleehmke/status/1136333242032959488", "https://twitter.com/kyleehmke/status/1150834700069552130", "https://twitter.com/kyleehmke/status/1151845729855582211" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [ "Ngo" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "5d2db9cc8e1eb4d4d4be15e5", "name": "Fancy Bear Phishing", "description": "One domain targets a Singapore-based investment firm, and another references the Berlin anti-corruption organization Transparency International, which Russia has targeted before. Others are generic or ambiguous in their targeting. But one seized domain, soros-my-sharepoint[.]com, jumps out as a clear reference to Soros, a past GRU target from Russia\u2019s 2016 election interference. \n\nAn additional four phishing domains registered in the same time frame appear to target Soros Open Society Foundations, said Kyle Ehmke, an intelligence researcher at the Arlington, Virginia-based cybersecurity firm ThreatConnect. Those domains haven\u2019t been seized and ThreatConnect hasn\u2019t found enough evidence to definitively link them to the Russian hackers, said Ehmke.", "modified": "2019-07-18T13:59:18.346000", "created": "2019-07-16T11:49:32.033000", "tags": [ "gru", "fancy bear", "russia" ], "references": [ "https://twitter.com/kyleehmke/status/1150834700069552130", "https://twitter.com/kyleehmke/status/1136333242032959488", "https://twitter.com/kyleehmke/status/1151845729855582211" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "United States" ], "malware_families": [], "attack_ids": [], "industries": [ "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 67, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 14, "hostname": 1, "URL": 2, "email": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386992, "modified_text": "2511 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "questwitch.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "questwitch.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780421656.734275 }