{ "type": "Domain", "indicator": "redcanary.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/redcanary.com", "alexa": "http://www.alexa.com/siteinfo/redcanary.com", "indicator": "redcanary.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2681758951, "indicator": "redcanary.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69f3322b53bd6368005d9ac9", "name": "Sinkholes, Backdoors, Trojans, and Exploits.", "description": "[ full text of this article, which has now been published, is published on the website of the European Union, the EU and the United Arab Emirates (UAE), and can be viewed here.] Markus Oberhumer, Laszlo Molnar i John Reiser", "description": "192.168.0.194 23.253.126.58 HTTP 106 GET /post/echo HTTP/1.1\nWersja pliku: 6.0.100.33\nMaszyna docelowa: Procesory Intel 386 lub nowsze oraz zgodne procesory\nPunkt wej\u015bcia: 0x00076A70\nLiczba sekcji: 3\nA security alert issued by the European Commission has identified a malicious process masquerading as the legitimate \"svchost.exe\" operating system and executing from an uncommon location in an unknown location.", "modified": "2025-05-14T20:50:19.966000", "created": "2024-12-27T15:48:34.024000", "tags": [ "sha256", "java", "win32 exe", "intel", "utc first", "submission", "file version", "platform se", "contained", "vhash", "ssdeep", "crypter", "poudel date", "nextron", "lazarus group", "system file", "anomaly id", "svchost rule", "windows system", "roth", "patrick bareiss", "anton kutepov", "winreagent", "vitali kremez", "wykryto scraper", "jackpos", "sopsop", "security" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 14, "FileHash-SHA256": 91, "domain": 30, "URL": 190, "hostname": 65, "CVE": 2 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd47886bb96c2d1d0b12ff", "name": "GootLoader, From SEO Poisoning to Multi-Stage Downloader", "description": "GootLoader is a multi-staged JavaScript malware that has been in the wild since late 2020, and is known to use search engine optimization techniques to lure victims into becoming infected with the malware.", "modified": "2024-09-14T00:03:26.042000", "created": "2024-08-15T00:10:48.821000", "tags": [ "research", "gootloader", "mitre d3fend", "cobalt strike", "yara rule", "beacon", "stager", "iocs", "d3ua", "detects stager", "strings", "test", "dotnet", "smokeloader", "smoke loader", "infostealer", "javascript", "gootkit", "stage" ], "references": [ "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "United States of America" ], "malware_families": [ { "id": "GootKit", "display_name": "GootKit", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 16, "URL": 1, "YARA": 2, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd478922c1ea1bccd9d8cf", "name": "GootLoader, From SEO Poisoning to Multi-Stage Downloader", "description": "GootLoader is a multi-staged JavaScript malware that has been in the wild since late 2020, and is known to use search engine optimization techniques to lure victims into becoming infected with the malware.", "modified": "2024-09-14T00:03:26.042000", "created": "2024-08-15T00:10:49.272000", "tags": [ "research", "gootloader", "mitre d3fend", "cobalt strike", "yara rule", "beacon", "stager", "iocs", "d3ua", "detects stager", "strings", "test", "dotnet", "smokeloader", "smoke loader", "infostealer", "javascript", "gootkit", "stage" ], "references": [ "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "United States of America" ], "malware_families": [ { "id": "GootKit", "display_name": "GootKit", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 16, "URL": 1, "YARA": 2, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64373c54a721267506283905", "name": "InQuest - 12-04-2023", "description": "", "modified": "2023-04-12T23:18:44.167000", "created": "2023-04-12T23:18:44.167000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 112, "IPv4": 105, "URL": 1767, "domain": 1197, "hostname": 187, "FileHash-MD5": 112, "FileHash-SHA1": 9 }, "indicator_count": 3489, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "1147 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6271946c5bb54e0eca0d94c7", "name": "Analysis of BlackByte Ransomware's Go-Based Variants | Zscaler", "description": "Zscaler delivers the world\u2019s largest security platform built for the cloud, with the aim of delivering a zero trust approach to safeguarding your enterprise and protecting users from phishing, ransomware and other attacks.", "modified": "2022-06-03T00:01:00.120000", "created": "2022-05-03T20:45:32.170000", "tags": [ "blackbyte", "language blackbyte", "chacha", "blackbyte v2", "aes key", "blackbyte v1", "figure", "base64", "curve25519", "hacked", "connect", "raccine", "february", "stop", "service", "updater", "revil", "this", "bitcoin" ], "references": [ "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackByte", "display_name": "BlackByte", "target": null }, { "id": "ChaCha", "display_name": "ChaCha", "target": null }, { "id": "Language BlackByte", "display_name": "Language BlackByte", "target": null } ], "attack_ids": [ { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Critical Infrastructure" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 9, "URL": 3, "domain": 3 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 357, "modified_text": "1460 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6278843fe1e84ca55c4c8571", "name": "BLISTER Loader - Elastic Security Research", "description": "Elastic Security has developed a tool that can detect and respond to a variety of malware, from data wiper malware in Ukraine to the Dirty Pipe in Southeast Asian financial sector, and now it has a dedicated tool to detect BLISTER.", "modified": "2022-05-09T03:02:23.554000", "created": "2022-05-09T03:02:23.554000", "tags": [ "blister", "blister loader", "windows", "blister malware", "heaven", "getprocaddress", "windows native", "cobalt strike", "launchcolorcpl", "finally", "gate", "daniel", "amadey", "bitrat", "clipbanker", "remcos", "raccoon", "persistence", "launch", "first", "apache" ], "references": [ "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BLISTER", "display_name": "BLISTER", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "caralin0702", "id": "73972", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 103, "modified_text": "1485 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62739163ca71b11d4d95984c", "name": "ESET Research Lazarus Group", "description": "The first issue of the ESET Threat Report is out today and we want you to read all the details about the latest research and findings. \u00c2\u00a31m worth of research on the subject.", "modified": "2022-05-05T08:57:07.820000", "created": "2022-05-05T08:57:07.820000", "tags": [ "agent", "agent tesla", "lazarus", "fraud", "mozi", "trickbot", "android banking", "eset", "emotet", "vyveva", "formbook", "turla", "psw.fareit", "ranumbot", "webshell", "qbot", "fonix", "ryuk", "ursnif", "hiddad", "winnti", "shadowpad", "luckymouse", "kobalos", "linux", "houdrat", "vools", "nanocore", "maas", "wannacryptor", "phobos", "gandcrab", "cryptowall", "cerber", "ctblocker", "nephilim", "netwalker", "ziggy", "doppelpaymer", "dridex", "phishing", "triada", "trojansms.agent", "shlayer", "mirai", "iis", "xdspy" ], "references": [ "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf" ], "public": 1, "adversary": "Lazarus Group", "targeted_countries": [ "Thailand", "Portugal", "Belgium", "United States of America", "Peru", "Russian Federation", "France", "Spain", "Colombia", "Japan", "Turkey", "Italy", "Poland", "Albania", "India", "China" ], "malware_families": [ { "id": "Agent", "display_name": "Agent", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Fraud", "display_name": "Fraud", "target": null }, { "id": "Mozi", "display_name": "Mozi", "target": null }, { "id": "TrickBot", "display_name": "TrickBot", "target": null }, { "id": "ESET", "display_name": "ESET", "target": null }, { "id": "Android Banking", "display_name": "Android Banking", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Formbook", "display_name": "Formbook", "target": null }, { "id": "Vyveva", "display_name": "Vyveva", "target": null }, { "id": "Hiddad", "display_name": "Hiddad", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "Ryuk", "display_name": "Ryuk", "target": null }, { "id": "Fonix", "display_name": "Fonix", "target": null }, { "id": "Qbot", "display_name": "Qbot", "target": null }, { "id": "WebShell", "display_name": "WebShell", "target": null }, { "id": "RanumBot", "display_name": "RanumBot", "target": null }, { "id": "PSW.Fareit", "display_name": "PSW.Fareit", "target": null }, { "id": "Turla", "display_name": "Turla", "target": null }, { "id": "XDSpy", "display_name": "XDSpy", "target": null }, { "id": "IIS", "display_name": "IIS", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Shlayer", "display_name": "Shlayer", "target": null }, { "id": "TrojanSMS.Agent", "display_name": "TrojanSMS.Agent", "target": null }, { "id": "Triada", "display_name": "Triada", "target": null }, { "id": "Phishing", "display_name": "Phishing", "target": null }, { "id": "Dridex", "display_name": "Dridex", "target": null }, { "id": "DoppelPaymer", "display_name": "DoppelPaymer", "target": null }, { "id": "Ziggy", "display_name": "Ziggy", "target": null }, { "id": "NetWalker", "display_name": "NetWalker", "target": null }, { "id": "Nephilim", "display_name": "Nephilim", "target": null }, { "id": "CTBLocker", "display_name": "CTBLocker", "target": null }, { "id": "Cerber", "display_name": "Cerber", "target": null }, { "id": "CryptoWall", "display_name": "CryptoWall", "target": null }, { "id": "GandCrab", "display_name": "GandCrab", "target": null }, { "id": "Phobos", "display_name": "Phobos", "target": null }, { "id": "WannaCryptor", "display_name": "WannaCryptor", "target": null }, { "id": "MaaS", "display_name": "MaaS", "target": null }, { "id": "Webshell", "display_name": "Webshell", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Vools", "display_name": "Vools", "target": null }, { "id": "HoudRat", "display_name": "HoudRat", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Kobalos", "display_name": "Kobalos", "target": null }, { "id": "LuckyMouse", "display_name": "LuckyMouse", "target": null }, { "id": "ShadowPad", "display_name": "ShadowPad", "target": null }, { "id": "Winnti", "display_name": "Winnti", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1213", "name": "Data from Information Repositories", "display_name": "T1213 - Data from Information Repositories" } ], "industries": [ "Hospitality", "Financial Services", "Transportation", "Finance", "Manufacturing", "Retail", "Healthcare", "Government", "Cryptocurrency", "Bitcoin", "Defense", "Construction", "Oil", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "nageswaran", "id": "61577", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10, "CVE": 19, "domain": 43, "hostname": 11 }, "indicator_count": 83, "is_author": false, "is_subscribing": null, "subscriber_count": 61, "modified_text": "1489 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "61ed22a7b6f547be5fcdf1a7", "name": "BHUNT Stealer", "description": "A whitepaper on BHUNT Stealer, an attack on cryptocurrency wallets, has been published by the security firm Bitdefender, which provides security and security software for the Bitcoin and other crypto currencies.", "modified": "2022-01-23T09:40:55.950000", "created": "2022-01-23T09:40:55.950000", "tags": [ "bhunt", "redline" ], "references": [ "https://samples.vx-underground.org/samples/Families/BHUNTStealer/Paper/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BHUNT", "display_name": "BHUNT", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null } ], "attack_ids": [ { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "demoextraa", "id": "176114", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 3, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "1591 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://labs.inquest.net/iocdb", "https://samples.vx-underground.org/samples/Families/BHUNTStealer/Paper/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf", "as15169", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://cybersecsentinel.com/gootloader-new-evasion-methods-target-search-driven-workflows/", "https://pberba.github.io/security/2025/11/11/macos-infection-vector-applescript-bypass-gatekeeper/", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "https://elastic.github.io/security-research/malware/2022/05/02.blister/article/", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader", "https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomwares-go-based-variants", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Verification failure observed in automated verification handlers during sandbox replay.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Adversary Profile: Salt Typhoon Alignment The architectural gap identified by mudoSO mirrors the act", "Lazarus Group" ], "malware_families": [ "Gootkit", "Cryptowall", "Dridex", "Cobalt strike", "Shlayer", "Redline", "Linux", "Formbook", "Ryuk", "Trickbot", "Trojansms.agent", "Ctblocker", "Wannacryptor", "Fraud", "Hiddad", "Mozi", "Qbot", "Mirai", "Shadowpad", "Houdrat", "Agent tesla", "Psw.fareit", "Vyveva", "Winnti", "Phobos", "Luckymouse", "Netwalker", "Android banking", "Gandcrab", "Chacha", "Webshell", "Xdspy", "Nephilim", "Ursnif", "Fonix", "Emotet", "Eset", "Maas", "Lazarus", "Ziggy", "Phishing", "Nanocore", "Turla", "Vools", "Gootloader jscript", "Iis", "Language blackbyte", "Ranumbot", "Bhunt", "Agent", "Kobalos", "Blackbyte", "Triada", "Cerber", "Doppelpaymer", "Gootloader", "Blister" ], "industries": [ "Construction", "Legal", "Hospitality", "Transportation", "Government", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Manufacturing", "Bitcoin", "Critical infrastructure", "Defense", "Oil", "Telecommunications", "Financial services", "Retail", "Healthcare", "Cryptocurrency", "Finance", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69f3322b53bd6368005d9ac9", "name": "Sinkholes, Backdoors, Trojans, and Exploits.", "description": "[ full text of this article, which has now been published, is published on the website of the European Union, the EU and the United Arab Emirates (UAE), and can be viewed here.] Markus Oberhumer, Laszlo Molnar i John Reiser", "description": "192.168.0.194 23.253.126.58 HTTP 106 GET /post/echo HTTP/1.1\nWersja pliku: 6.0.100.33\nMaszyna docelowa: Procesory Intel 386 lub nowsze oraz zgodne procesory\nPunkt wej\u015bcia: 0x00076A70\nLiczba sekcji: 3\nA security alert issued by the European Commission has identified a malicious process masquerading as the legitimate \"svchost.exe\" operating system and executing from an uncommon location in an unknown location.", "modified": "2025-05-14T20:50:19.966000", "created": "2024-12-27T15:48:34.024000", "tags": [ "sha256", "java", "win32 exe", "intel", "utc first", "submission", "file version", "platform se", "contained", "vhash", "ssdeep", "crypter", "poudel date", "nextron", "lazarus group", "system file", "anomaly id", "svchost rule", "windows system", "roth", "patrick bareiss", "anton kutepov", "winreagent", "vitali kremez", "wykryto scraper", "jackpos", "sopsop", "security" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 14, "FileHash-SHA256": 91, "domain": 30, "URL": 190, "hostname": 65, "CVE": 2 }, "indicator_count": 410, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "384 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd47886bb96c2d1d0b12ff", "name": "GootLoader, From SEO Poisoning to Multi-Stage Downloader", "description": "GootLoader is a multi-staged JavaScript malware that has been in the wild since late 2020, and is known to use search engine optimization techniques to lure victims into becoming infected with the malware.", "modified": "2024-09-14T00:03:26.042000", "created": "2024-08-15T00:10:48.821000", "tags": [ "research", "gootloader", "mitre d3fend", "cobalt strike", "yara rule", "beacon", "stager", "iocs", "d3ua", "detects stager", "strings", "test", "dotnet", "smokeloader", "smoke loader", "infostealer", "javascript", "gootkit", "stage" ], "references": [ "https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader" ], "public": 1, "adversary": "", "targeted_countries": [ "Germany", "United States of America" ], "malware_families": [ { "id": "GootKit", "display_name": "GootKit", "target": null }, { "id": "GootLoader", "display_name": "GootLoader", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Legal" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 11, "FileHash-SHA1": 11, "FileHash-SHA256": 16, "URL": 1, "YARA": 2, "domain": 1 }, "indicator_count": 42, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "redcanary.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "redcanary.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780442979.6520002 }