{ "type": "Domain", "indicator": "rapiddevapi.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rapiddevapi.com", "alexa": "http://www.alexa.com/siteinfo/rapiddevapi.com", "indicator": "rapiddevapi.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4038184029, "indicator": "rapiddevapi.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc7992eb7d5642812f4c96", "name": "IOC - Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro", "description": "This post is part 3 in our multi\u2011part series examining abuse of Keitaro Tracker. In part 1 and part 2, we documented several threat types and actors that leverage Keitaro for a range of malicious activities. Part 2 also provided additional visibility into the prevalence of Keitaro abuse across spam and malvertising ecosystems.", "modified": "2026-05-01T01:01:51.565000", "created": "2026-04-01T01:49:06.692000", "tags": [ "domain", "ip address", "los pollos", "propeller ads", "landing page", "domain hosting", "major crypto", "domains", "keitaro version" ], "references": [ "https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895d89a055c007bad142889", "name": "08082025-ESAF-383", "description": "", "modified": "2025-08-08T10:59:38.457000", "created": "2025-08-08T10:59:38.457000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 11, "URL": 106 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689506fc41ab125bb35743dd", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the Pioneer of Fake Updates and Its Operator, TA569.", "description": "SocGholish is a sophisticated malware operation run by the threat actor TA569, functioning as a Malware-as-a-Service (MaaS) vendor. TA569 sells access to compromised systems, primarily leveraging deceptive tactics such as bogus \"fake browser updates\" to initiate infections. The primary method of infection involves JavaScript injections on compromised websites, which lead to drive-by malware downloads. SocGholish utilizes Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to channel victims toward malicious sites while avoiding detection. This approach allows TA569 to serve as an Initial Access Broker (IAB), facilitating follow-on attacks for other cybercriminal organizations and state-sponsored groups, including Russia's GRU.", "modified": "2025-08-07T20:05:16.192000", "created": "2025-08-07T20:05:16.192000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Education", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 12, "URL": 123 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6894a499b3cdf94c2bea08bc", "name": "SocGholish Deploy Malware via Parrot and Keitaro TDF Systems", "description": "", "modified": "2025-08-07T13:05:29.821000", "created": "2025-08-07T13:05:29.821000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 11 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672f6ed2b564f00b7c5cb13f", "name": "Threatfox Recent Additions", "description": "", "modified": "2025-06-13T19:00:02.811000", "created": "2024-11-09T14:16:50.032000", "tags": [], "references": [ "", "https://threatfox.abuse.ch/export/csv/recent/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 96, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ameermane", "id": "77501", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 47587, "URL": 18714, "FileHash-SHA256": 36311, "FileHash-MD5": 1630, "FileHash-SHA1": 418, "hostname": 18190 }, "indicator_count": 122850, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "351 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d993ba788ab940f8f08338", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "Trend Research analyzed SocGholish\u2019s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.", "modified": "2025-04-17T15:00:16.410000", "created": "2025-03-18T15:39:37.975000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "408 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d5e01e96eaa7672f46852e", "name": "SocGholish's Exploits Aid in the Spread of RansomHub", "description": "", "modified": "2025-04-14T20:00:04.351000", "created": "2025-03-15T20:16:30.957000", "tags": [ "mitigation", "keep", "update siem", "iocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 13, "hostname": 37 }, "indicator_count": 51, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "411 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e64aac2aefac16a725", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:42.306000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d533e1155085a0db344a04", "name": "SocGholish | Indicators of Compromise", "description": "", "modified": "2025-04-14T07:01:25.809000", "created": "2025-03-15T08:01:37.878000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ghitansilviu@gmail.com", "id": "177478", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "412 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d408ff22965b4a48ac9ac6", "name": "SocGholish\u2019s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware", "description": "A review of the findings of a study on the impact of cyber-attacks on a network of more than 100,000 users in the UK, Ireland, Wales and Northern Ireland (NHS).", "modified": "2025-04-13T10:01:22.721000", "created": "2025-03-14T10:46:23.236000", "tags": [ "description", "adsi", "dnshostname", "data", "samaccountname", "mail", "getcontent", "state", "encryptedkey", "update", "trigger", "pass", "ransomhub" ], "references": [ "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 36 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "413 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://documents.trendmicro.com/assets/txt/IOC-List---SocGholish-to-RansomhubRyWU7lB.txt", "https://www.silentpush.com/blog/socgholish/", "https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/", "https://threatfox.abuse.ch/export/csv/recent/", "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html", "Malware.pdf", "Aug1.pdf" ], "related": { "alienvault": { "adversary": [ "GOLD PRELUDE" ], "malware_families": [ "Lockbit", "Dridex - s0384", "Mintsloader", "Wastedlocker - s0612", "Hades", "Socgholish", "Raspberry robin", "Bugat v5", "Netsupportrat" ], "industries": [ "Energy", "Government", "Finance", "Healthcare", "Technology" ] }, "other": { "adversary": [ "TA569", "Multiple" ], "malware_families": [ "", "Lockbit", "Dridex - s0384", "Mintsloader", "Ransomhub", "Wastedlocker - s0612", "Hades", "Socgholish", "Raspberry robin", "Bugat v5", "Netsupportrat" ], "industries": [ "Energy", "Government", "Finance", "Healthcare", "Technology", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386508, "modified_text": "296 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc7992eb7d5642812f4c96", "name": "IOC - Patterns, Pirates, and Provider Action: What We Learned Working with Keitaro", "description": "This post is part 3 in our multi\u2011part series examining abuse of Keitaro Tracker. In part 1 and part 2, we documented several threat types and actors that leverage Keitaro for a range of malicious activities. Part 2 also provided additional visibility into the prevalence of Keitaro abuse across spam and malvertising ecosystems.", "modified": "2026-05-01T01:01:51.565000", "created": "2026-04-01T01:49:06.692000", "tags": [ "domain", "ip address", "los pollos", "propeller ads", "landing page", "domain hosting", "major crypto", "domains", "keitaro version" ], "references": [ "https://www.infoblox.com/blog/threat-intelligence/patterns-pirates-and-provider-action-what-we-learned-working-with-keitaro/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 2 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b8869e00b107fa20d9482", "name": "ThreatFix", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-01-23T11:01:07.175000", "created": "2025-11-17T20:41:11.797000", "tags": [ "", "ransomware", "malware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8010, "FileHash-SHA1": 7922, "FileHash-SHA256": 8893, "URL": 57004, "domain": 36018, "hostname": 96473 }, "indicator_count": 214320, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689481dbbbd16703c99f5f10", "name": "Collection of Malware (MintsLoader & SocGholish)", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:37:15.375000", "tags": [], "references": [ "Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 76, "FileHash-SHA1": 76, "FileHash-SHA256": 211, "URL": 115, "domain": 104, "hostname": 37 }, "indicator_count": 619, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689483159128c89f669e87d6", "name": "EbeeAugust2025 Pt1", "description": "", "modified": "2025-09-06T10:00:39.896000", "created": "2025-08-07T10:42:29.730000", "tags": [], "references": [ "Aug1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 75, "CVE": 1, "FileHash-MD5": 111, "FileHash-SHA1": 139, "FileHash-SHA256": 243, "domain": 137, "hostname": 43, "email": 1 }, "indicator_count": 750, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "267 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "292 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895d89a055c007bad142889", "name": "08082025-ESAF-383", "description": "", "modified": "2025-08-08T10:59:38.457000", "created": "2025-08-08T10:59:38.457000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "hostname": 11, "URL": 106 }, "indicator_count": 129, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689506fc41ab125bb35743dd", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the Pioneer of Fake Updates and Its Operator, TA569.", "description": "SocGholish is a sophisticated malware operation run by the threat actor TA569, functioning as a Malware-as-a-Service (MaaS) vendor. TA569 sells access to compromised systems, primarily leveraging deceptive tactics such as bogus \"fake browser updates\" to initiate infections. The primary method of infection involves JavaScript injections on compromised websites, which lead to drive-by malware downloads. SocGholish utilizes Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to channel victims toward malicious sites while avoiding detection. This approach allows TA569 to serve as an Initial Access Broker (IAB), facilitating follow-on attacks for other cybercriminal organizations and state-sponsored groups, including Russia's GRU.", "modified": "2025-08-07T20:05:16.192000", "created": "2025-08-07T20:05:16.192000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Education", "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "hostname": 12, "URL": 123 }, "indicator_count": 148, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "296 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rapiddevapi.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rapiddevapi.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780224221.7635415 }