{ "type": "Domain", "indicator": "r-e.kr", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/r-e.kr", "alexa": "http://www.alexa.com/siteinfo/r-e.kr", "indicator": "r-e.kr", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3029763528, "indicator": "r-e.kr", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "68086801e8d1152efa326ded", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "", "modified": "2025-04-23T04:09:37.721000", "created": "2025-04-23T04:09:37.721000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": "6808590ab0a1d32dd6e35f6d", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "405 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808590ab0a1d32dd6e35f6d", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "", "modified": "2025-04-23T03:05:46.991000", "created": "2025-04-23T03:05:46.991000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": "6807a062bab986d8241cc660", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "405 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a062bab986d8241cc660", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "The ATIP (ATIP) has released details of the Kimsuky cyber-attack group, which has been attacking South Korea's software, energy, finance and financial industries since October 2023.", "modified": "2025-04-22T13:57:54.646000", "created": "2025-04-22T13:57:54.646000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677487b4fa989e79df3501c1", "name": "Twitter Feed - SecAI_AI - 31-12-2024", "description": "", "modified": "2025-01-01T00:09:24.202000", "created": "2025-01-01T00:09:24.202000", "tags": [ "APT", "phishing" ], "references": [ "https://x.com/SecAI_AI/status/1874034531222904853" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 4, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "517 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666652f2b5711ecde6ad58c0", "name": "r-e.kr", "description": "", "modified": "2024-07-10T01:06:06.537000", "created": "2024-06-10T01:12:18.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 391, "domain": 1, "email": 1 }, "indicator_count": 393, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "692 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6666335de28da1f94efdc768", "name": "gabia", "description": "", "modified": "2024-07-10T00:00:17.501000", "created": "2024-06-09T22:57:33.339000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 106, "FileHash-SHA256": 8, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "692 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6482ead800295cf7f522642d", "name": "Threat Trend Report on Kimsuky", "description": "The full text of the AhnLab Cyber Threat Intelligence Report on Kimsuky Group, which was published on 1 May 2023, is subject to copyright protection and may not be published elsewhere.", "modified": "2023-06-09T09:03:20.677000", "created": "2023-06-09T09:03:20.677000", "tags": [ "kimsuky", "appleseed", "flowerpower", "braveprince" ], "references": [ "https://asec.ahnlab.com/wp-content/uploads/2023/06/ATIP_2023_Apr_Threat-Trend-Report-on-Kimsuky-Group.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BravePrince", "display_name": "BravePrince", "target": null }, { "id": "FlowerPower", "display_name": "FlowerPower", "target": null }, { "id": "AppleSeed", "display_name": "AppleSeed", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 19, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 7, "hostname": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1089 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/SecAI_AI/status/1874034531222904853", "https://asec.ahnlab.com/wp-content/uploads/2023/06/ATIP_2023_Apr_Threat-Trend-Report-on-Kimsuky-Group.pdf", "https://asec.ahnlab.com/en/87554/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Myspy", "Appleseed", "Flowerpower", "Braveprince", "Kimsuky" ], "industries": [ "Financial", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "68086801e8d1152efa326ded", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "", "modified": "2025-04-23T04:09:37.721000", "created": "2025-04-23T04:09:37.721000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": "6808590ab0a1d32dd6e35f6d", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "405 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6808590ab0a1d32dd6e35f6d", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "", "modified": "2025-04-23T03:05:46.991000", "created": "2025-04-23T03:05:46.991000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": "6807a062bab986d8241cc660", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "405 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6807a062bab986d8241cc660", "name": "APT Group Profiles - Larva-24005 - ASEC", "description": "The ATIP (ATIP) has released details of the Kimsuky cyber-attack group, which has been attacking South Korea's software, energy, finance and financial industries since October 2023.", "modified": "2025-04-22T13:57:54.646000", "created": "2025-04-22T13:57:54.646000", "tags": [ "south korea", "japan", "cve20190708", "myspy malware", "rdpwrap", "actor group", "star7", "ahnlab security", "center", "asec", "korean", "mexico", "cve201711882", "tools", "kimsuky", "phishing", "myspy" ], "references": [ "https://asec.ahnlab.com/en/87554/" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Japan" ], "malware_families": [ { "id": "Kimsuky", "display_name": "Kimsuky", "target": null }, { "id": "MySpy", "display_name": "MySpy", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Energy", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "hostname": 7, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677487b4fa989e79df3501c1", "name": "Twitter Feed - SecAI_AI - 31-12-2024", "description": "", "modified": "2025-01-01T00:09:24.202000", "created": "2025-01-01T00:09:24.202000", "tags": [ "APT", "phishing" ], "references": [ "https://x.com/SecAI_AI/status/1874034531222904853" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 4, "domain": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "517 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666652f2b5711ecde6ad58c0", "name": "r-e.kr", "description": "", "modified": "2024-07-10T01:06:06.537000", "created": "2024-06-10T01:12:18.639000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 391, "domain": 1, "email": 1 }, "indicator_count": 393, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "692 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6666335de28da1f94efdc768", "name": "gabia", "description": "", "modified": "2024-07-10T00:00:17.501000", "created": "2024-06-09T22:57:33.339000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 106, "FileHash-SHA256": 8, "hostname": 1 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "692 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6482ead800295cf7f522642d", "name": "Threat Trend Report on Kimsuky", "description": "The full text of the AhnLab Cyber Threat Intelligence Report on Kimsuky Group, which was published on 1 May 2023, is subject to copyright protection and may not be published elsewhere.", "modified": "2023-06-09T09:03:20.677000", "created": "2023-06-09T09:03:20.677000", "tags": [ "kimsuky", "appleseed", "flowerpower", "braveprince" ], "references": [ "https://asec.ahnlab.com/wp-content/uploads/2023/06/ATIP_2023_Apr_Threat-Trend-Report-on-Kimsuky-Group.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BravePrince", "display_name": "BravePrince", "target": null }, { "id": "FlowerPower", "display_name": "FlowerPower", "target": null }, { "id": "AppleSeed", "display_name": "AppleSeed", "target": null }, { "id": "Kimsuky", "display_name": "Kimsuky", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "FileHash-MD5": 19, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 7, "hostname": 8 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1089 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "r-e.kr", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "r-e.kr", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780432468.7429097 }