{ "type": "Domain", "indicator": "rbcauthentication.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/rbcauthentication.com", "alexa": "http://www.alexa.com/siteinfo/rbcauthentication.com", "indicator": "rbcauthentication.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2881342758, "indicator": "rbcauthentication.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69479bd1714bb9552aeb3623", "name": "Cyber trails of malicious actor KillNet by skocherhan", "description": "", "modified": "2025-12-21T07:03:45.053000", "created": "2025-12-21T07:03:45.053000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "6758fd5afdfe6960ccda2cca", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6812e7ad9b8cafc0f7fec1ce", "name": "FHS - FBI Phishing Domains Associated with LabHost PhaaS Platform Users", "description": "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world\u2019s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users. The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims worldwide. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used by recipients for research and defense.", "modified": "2025-05-31T03:01:18.057000", "created": "2025-05-01T03:17:01.551000", "tags": [ "Phishing Domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67041, "URL": 60, "hostname": 17338 }, "indicator_count": 84439, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d40723097f4c09d7724", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:28.274000", "created": "2025-05-01T15:03:28.274000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d3cd48fd389972ce061", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:24.415000", "created": "2025-05-01T15:03:24.415000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758fd5afdfe6960ccda2cca", "name": "Cyber trails of malicious actor KillNet", "description": "", "modified": "2024-12-11T02:47:54.379000", "created": "2024-12-11T02:47:54.379000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "494 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv", "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "LabHost" ], "malware_families": [ "Phishing" ], "industries": [ "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69479bd1714bb9552aeb3623", "name": "Cyber trails of malicious actor KillNet by skocherhan", "description": "", "modified": "2025-12-21T07:03:45.053000", "created": "2025-12-21T07:03:45.053000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": "6758fd5afdfe6960ccda2cca", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "119 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6812e7ad9b8cafc0f7fec1ce", "name": "FHS - FBI Phishing Domains Associated with LabHost PhaaS Platform Users", "description": "The Federal Bureau of Investigation (FBI) is releasing this FLASH to disseminate 42,000 phishing domains linked to the LabHost phishing-as-a-service (PhaaS) platform between November 2021 and April 2024. Prior to being disabled by law enforcement in April 2024, LabHost was one of the world\u2019s largest PhaaS providers, offering a range of illicit services for approximately 10,000 users. The platform enabled cyber criminals to impersonate more than 200 organizations, including major banks and government institutions, in an effort to collect personal information and banking credentials from unsuspecting victims worldwide. The FBI is releasing this information to maximize awareness and provide indicators of compromise that may be used by recipients for research and defense.", "modified": "2025-05-31T03:01:18.057000", "created": "2025-05-01T03:17:01.551000", "tags": [ "Phishing Domains" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "FHS-Services", "id": "51336", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 67041, "URL": 60, "hostname": 17338 }, "indicator_count": 84439, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d40723097f4c09d7724", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:28.274000", "created": "2025-05-01T15:03:28.274000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 562, "modified_text": "353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68138d3cd48fd389972ce061", "name": "FBI shares massive list of 42,000 LabHost phishing domains", "description": "", "modified": "2025-05-01T15:03:24.415000", "created": "2025-05-01T15:03:24.415000", "tags": [ "LabHost", "Phishing" ], "references": [ "https://www.ic3.gov/CSA/2025/LabHost_Domains.csv" ], "public": 1, "adversary": "LabHost", "targeted_countries": [], "malware_families": [ { "id": "Phishing", "display_name": "Phishing", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "VertekLabs", "id": "168455", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_168455/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 30, "domain": 33520, "hostname": 8669 }, "indicator_count": 42219, "is_author": false, "is_subscribing": null, "subscriber_count": 561, "modified_text": "353 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6758fd5afdfe6960ccda2cca", "name": "Cyber trails of malicious actor KillNet", "description": "", "modified": "2024-12-11T02:47:54.379000", "created": "2024-12-11T02:47:54.379000", "tags": [], "references": [ "https://raw.githubusercontent.com/securityscorecard/SSC-Threat-Intel-IoCs/master/KillNet-DDoS-Blocklist/proxylist.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 28942, "FileHash-SHA256": 2586, "hostname": 15671, "domain": 9429, "CVE": 4 }, "indicator_count": 56632, "is_author": false, "is_subscribing": null, "subscriber_count": 180, "modified_text": "494 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "rbcauthentication.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "rbcauthentication.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776649704.767594 }