{ "type": "Domain", "indicator": "relysudden.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/relysudden.com", "alexa": "http://www.alexa.com/siteinfo/relysudden.com", "indicator": "relysudden.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3723873032, "indicator": "relysudden.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "66e001e55e7c69c7c2be94df", "name": "Threat Assessment: North Korean Threat Groups", "description": "This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows, macOS, and Linux systems, providing technical insights into their functionality and Palo Alto Networks Cortex XDR's capability to detect and mitigate these threats.", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:23:01.551000", "tags": [ "comebacker", "collectionrat", "northkorea", "malware", "fullhouse", "espionage", "poolrat", "rats", "cybercrime", "odicloader", "rustbucket", "objcshellz", "kandykorn", "pondrat", "smoothoperator" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Various North Korean groups under the Reconnaissance General Bureau", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "KANDYKORN", "display_name": "KANDYKORN", "target": null }, { "id": "SmoothOperator", "display_name": "SmoothOperator", "target": null }, { "id": "ObjCShellz", "display_name": "ObjCShellz", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null }, { "id": "CollectionRAT", "display_name": "CollectionRAT", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 37, "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688d7524289f57edfc461022", "name": "TraderTraitor Exposed: The Lazarus Crypto Heist Network", "description": "", "modified": "2025-09-01T02:00:30.266000", "created": "2025-08-02T02:17:08.314000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 23, "hostname": 19 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889d70a58014bb2c1abe999", "name": "Who is TraderTraitor?", "description": "TraderTraitor represents a cluster of North Korean state-sponsored cyber activity orchestrated by advanced persistent threat (APT) groups including Lazarus Group, APT38, and others. This operation is primarily financially motivated, specifically targeting the cryptocurrency and blockchain ecosystem to fund North Korea's state programs amid extensive sanctions. U.S. agencies, including the FBI and CISA, have linked TraderTraitor to significant cryptocurrency thefts, such as the $308 million DMM Bitcoin exchange hack and a $1.5 billion breach of the Bybit crypto exchange. The operations of TraderTraitor are characterized by the use of sophisticated techniques including social engineering, trojanized applications, and supply chain compromises. For example, the group employs phishing tactics under the guise of job offers targeting employees in crypto-related roles to deploy malicious applications that appear functional.", "modified": "2025-08-29T08:00:34.369000", "created": "2025-07-30T08:25:46.133000", "tags": [ "security", "threat intel", "research", "tradertraitor", "lazarus", "javascript", "github", "command", "july", "north korea", "jumpcloud", "safe", "wallet", "telegram", "manuscrypt", "malware", "bitcoin", "february", "python", "april", "bluenoroff", "evolution", "discord", "cloud", "service", "malicious", "execution", "manipulation", "tools", "stealer", "korean", "footer", "domain", "github security", "blog domain", "blog malicious", "github account", "fake github", "dafom", "value", "description", "source sha256", "stratofear" ], "references": [ "https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist" ], "public": 1, "adversary": "TraderTraitor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1580", "name": "Cloud Infrastructure Discovery", "display_name": "T1580 - Cloud Infrastructure Discovery" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 24, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 19 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e1797e61f69c762b1dc8aa", "name": "Threat Assessment: North Korean Threat Groups", "description": "This blog presents a comprehensive assessment of North Korean threat groups, as well as the techniques Palo Alto Networks uses to protect customers from the malware they are carrying out on behalf of the Korean People's Army.", "modified": "2024-10-11T11:02:17.959000", "created": "2024-09-11T11:05:34.786000", "tags": [ "cortex xdr", "hloader", "sugarloader", "figure", "kandykorn", "pondrat", "palo alto", "discord", "smoothoperator", "objcshellz", "fullhouse", "poolrat", "comebacker", "agent", "updateagent", "lazarus", "bluenoroff", "kimsuky", "alliance", "slow", "rats", "hack", "swift", "rust", "download", "python", "shell", "february", "class", "korean", "macos", "http", "linux", "windows", "rustbucket" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Comebacker", "targeted_countries": [], "malware_families": [ { "id": "Korean", "display_name": "Korean", "target": null }, { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency", "Financial", "Media", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 37, "URL": 2, "domain": 29, "hostname": 1 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c7e49b4ca9d524fe2af625", "name": "North Korea Leverages\u00a0SaaS Provider\u00a0in\u00a0a Targeted\u00a0Supply Chain Attack | Mandiant", "description": "This report comprehensively analyzes a sophisticated supply chain attack against JumpCloud, attributed to UNC4899, a suspected North Korean element within the Reconnaissance General Bureau. The threat actors targeted organizations involved with cryptocurrency, employing advanced tactics, techniques, and procedures and deploying multiple backdoors. The report offers actionable intelligence to bolster defenses, respond effectively to incidents, and mitigate risks associated with these cyber threats. Key recommendations include implementing multi-factor authentication, regular security awareness training, advanced endpoint protection solutions, and a zero-trust architecture. Given UNC4899's demonstrated capabilities and focus on IT service providers and cryptocurrency organizations, immediate action is advised.", "modified": "2023-08-30T16:03:29.422000", "created": "2023-07-31T16:43:07.157000", "tags": [], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "domain": 10 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1005 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c11c5a734d0bbea3270355", "name": "North Korea Leverages\u00a0SaaS Provider\u00a0in\u00a0a Targeted\u00a0Supply Chain Attack | Mandiant", "description": "Mandiant, the world's leading cyber security intelligence provider, has announced that it is expanding its platform and offering products and services to help companies and governments defend against cyber crime. \u00c2\u00a31.", "modified": "2023-08-25T13:03:32.676000", "created": "2023-07-26T13:15:06.141000", "tags": [ "mandiant", "stratofear", "unc4899", "tiedye", "cyber security", "dprk", "jumpcloud", "ruby script", "strong", "digital threat", "protect", "contact", "service", "config", "virustotal", "solve", "embed", "close", "test", "life", "advantage", "find", "austin", "june", "write", "path", "vmprotect", "macos", "lazarus", "win64", "footer", "fullhouse.doored" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "DPRK", "targeted_countries": [ "Korea, Republic of", "United States of America", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "DPRK", "display_name": "DPRK", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "domain": 10 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1010 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64bee8364be919430e12420a", "name": "JumpCloud Breach Linked to UNC4899", "description": "", "modified": "2023-08-23T21:00:34.495000", "created": "2023-07-24T21:08:06.600000", "tags": [], "references": [ "July 25th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2883 - JumpCloud Breach Linked to UNC4899.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "domain": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1012 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64bec0acb65f6129f534d9c6", "name": "North Korea Leverages\u00a0SaaS Provider\u00a0in\u00a0a Targeted\u00a0Supply Chain Attack | Mandiant", "description": "In July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity. We believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a zero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access impacted fewer than five customers and less than 10 devices.The details in this blog post are based on Mandiant\u2019s investigation into the attack against one of JumpCloud\u2019s impacted customers.", "modified": "2023-08-23T18:03:34.433000", "created": "2023-07-24T18:19:24.747000", "tags": [ "mandiant", "stratofear", "unc4899", "cyber security", "dprk", "tiedye", "jumpcloud", "ruby script", "strong", "digital threat", "protect", "contact", "service", "config", "path", "virustotal", "solve", "embed", "close", "test", "life", "advantage", "find", "austin", "june", "write", "vmprotect", "macos", "lazarus", "footer", "fullhouse.doored" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "DPRK", "targeted_countries": [ "Korea, Republic of", "United States of America", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "DPRK", "display_name": "DPRK", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mxdrthreat", "id": "230035", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "YARA": 3, "domain": 10 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 52, "modified_text": "1012 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c356970e77deb26a5875b9", "name": "North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack", "description": "", "modified": "2023-08-23T18:03:34.433000", "created": "2023-07-28T05:48:07.428000", "tags": [ "mandiant", "stratofear", "unc4899", "cyber security", "dprk", "tiedye", "jumpcloud", "ruby script", "strong", "digital threat", "protect", "contact", "service", "config", "path", "virustotal", "solve", "embed", "close", "test", "life", "advantage", "find", "austin", "june", "write", "vmprotect", "macos", "lazarus", "footer", "fullhouse.doored" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "DPRK", "targeted_countries": [ "Korea, Republic of", "United States of America", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "DPRK", "display_name": "DPRK", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services", "Crypto" ], "TLP": "white", "cloned_from": "64bec0acb65f6129f534d9c6", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "YARA": 3, "domain": 10 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1012 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c36a76306580517bf33acf", "name": "North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack", "description": "", "modified": "2023-08-23T18:03:34.433000", "created": "2023-07-28T07:12:54.591000", "tags": [ "mandiant", "stratofear", "unc4899", "cyber security", "dprk", "tiedye", "jumpcloud", "ruby script", "strong", "digital threat", "protect", "contact", "service", "config", "path", "virustotal", "solve", "embed", "close", "test", "life", "advantage", "find", "austin", "june", "write", "vmprotect", "macos", "lazarus", "footer", "fullhouse.doored" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "DPRK", "targeted_countries": [ "Korea, Republic of", "United States of America", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "DPRK", "display_name": "DPRK", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services", "Crypto" ], "TLP": "white", "cloned_from": "64c356970e77deb26a5875b9", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "YARA": 3, "domain": 10 }, "indicator_count": 43, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "1012 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist", "July 25th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2883 - JumpCloud Breach Linked to UNC4899.pdf", "https://www.mandiant.com/resources/blog/north-korea-supply-chain", "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "related": { "alienvault": { "adversary": [ "Various North Korean groups under the Reconnaissance General Bureau" ], "malware_families": [ "Pondrat", "Objcshellz", "Smoothoperator", "Rustbucket", "Fullhouse", "Poolrat", "Collectionrat", "Comebacker", "Kandykorn", "Odicloader" ], "industries": [] }, "other": { "adversary": [ "TraderTraitor", "DPRK", "Comebacker" ], "malware_families": [ "Dprk", "Linux", "Rustbucket", "Fullhouse.doored", "Korean", "Fullhouse", "Poolrat", "Tiedye", "Macos", "Comebacker", "Windows", "Stratofear", "Http" ], "industries": [ "Media", "Financial services", "Financial", "Defense", "Crypto", "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "66e001e55e7c69c7c2be94df", "name": "Threat Assessment: North Korean Threat Groups", "description": "This assessment evaluates several North Korean threat groups operating under the Reconnaissance General Bureau. It describes their organizational structure, objectives, and the diverse malware families employed in their recent campaigns targeting various industries worldwide. The analysis covers 10 malware samples across Windows, macOS, and Linux systems, providing technical insights into their functionality and Palo Alto Networks Cortex XDR's capability to detect and mitigate these threats.", "modified": "2024-10-10T08:03:36.798000", "created": "2024-09-10T08:23:01.551000", "tags": [ "comebacker", "collectionrat", "northkorea", "malware", "fullhouse", "espionage", "poolrat", "rats", "cybercrime", "odicloader", "rustbucket", "objcshellz", "kandykorn", "pondrat", "smoothoperator" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Various North Korean groups under the Reconnaissance General Bureau", "targeted_countries": [], "malware_families": [ { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "KANDYKORN", "display_name": "KANDYKORN", "target": null }, { "id": "SmoothOperator", "display_name": "SmoothOperator", "target": null }, { "id": "ObjCShellz", "display_name": "ObjCShellz", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "PondRAT", "display_name": "PondRAT", "target": null }, { "id": "OdicLoader", "display_name": "OdicLoader", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null }, { "id": "CollectionRAT", "display_name": "CollectionRAT", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1009", "name": "Binary Padding", "display_name": "T1009 - Binary Padding" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 23, "FileHash-SHA1": 23, "FileHash-SHA256": 37, "URL": 2, "domain": 12, "hostname": 1 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 386665, "modified_text": "599 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688d7524289f57edfc461022", "name": "TraderTraitor Exposed: The Lazarus Crypto Heist Network", "description": "", "modified": "2025-09-01T02:00:30.266000", "created": "2025-08-02T02:17:08.314000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 23, "hostname": 19 }, "indicator_count": 54, "is_author": false, "is_subscribing": null, "subscriber_count": 86, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6889d70a58014bb2c1abe999", "name": "Who is TraderTraitor?", "description": "TraderTraitor represents a cluster of North Korean state-sponsored cyber activity orchestrated by advanced persistent threat (APT) groups including Lazarus Group, APT38, and others. This operation is primarily financially motivated, specifically targeting the cryptocurrency and blockchain ecosystem to fund North Korea's state programs amid extensive sanctions. U.S. agencies, including the FBI and CISA, have linked TraderTraitor to significant cryptocurrency thefts, such as the $308 million DMM Bitcoin exchange hack and a $1.5 billion breach of the Bybit crypto exchange. The operations of TraderTraitor are characterized by the use of sophisticated techniques including social engineering, trojanized applications, and supply chain compromises. For example, the group employs phishing tactics under the guise of job offers targeting employees in crypto-related roles to deploy malicious applications that appear functional.", "modified": "2025-08-29T08:00:34.369000", "created": "2025-07-30T08:25:46.133000", "tags": [ "security", "threat intel", "research", "tradertraitor", "lazarus", "javascript", "github", "command", "july", "north korea", "jumpcloud", "safe", "wallet", "telegram", "manuscrypt", "malware", "bitcoin", "february", "python", "april", "bluenoroff", "evolution", "discord", "cloud", "service", "malicious", "execution", "manipulation", "tools", "stealer", "korean", "footer", "domain", "github security", "blog domain", "blog malicious", "github account", "fake github", "dafom", "value", "description", "source sha256", "stratofear" ], "references": [ "https://www.wiz.io/blog/north-korean-tradertraitor-crypto-heist" ], "public": 1, "adversary": "TraderTraitor", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1578", "name": "Modify Cloud Compute Infrastructure", "display_name": "T1578 - Modify Cloud Compute Infrastructure" }, { "id": "T1580", "name": "Cloud Infrastructure Discovery", "display_name": "T1580 - Cloud Infrastructure Discovery" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 24, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 15, "hostname": 19 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66e1797e61f69c762b1dc8aa", "name": "Threat Assessment: North Korean Threat Groups", "description": "This blog presents a comprehensive assessment of North Korean threat groups, as well as the techniques Palo Alto Networks uses to protect customers from the malware they are carrying out on behalf of the Korean People's Army.", "modified": "2024-10-11T11:02:17.959000", "created": "2024-09-11T11:05:34.786000", "tags": [ "cortex xdr", "hloader", "sugarloader", "figure", "kandykorn", "pondrat", "palo alto", "discord", "smoothoperator", "objcshellz", "fullhouse", "poolrat", "comebacker", "agent", "updateagent", "lazarus", "bluenoroff", "kimsuky", "alliance", "slow", "rats", "hack", "swift", "rust", "download", "python", "shell", "february", "class", "korean", "macos", "http", "linux", "windows", "rustbucket" ], "references": [ "https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-groups-2024/" ], "public": 1, "adversary": "Comebacker", "targeted_countries": [], "malware_families": [ { "id": "Korean", "display_name": "Korean", "target": null }, { "id": "MacOS", "display_name": "MacOS", "target": null }, { "id": "Fullhouse", "display_name": "Fullhouse", "target": null }, { "id": "HTTP", "display_name": "HTTP", "target": null }, { "id": "POOLRAT", "display_name": "POOLRAT", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "RustBucket", "display_name": "RustBucket", "target": null }, { "id": "macOS", "display_name": "macOS", "target": null }, { "id": "Comebacker", "display_name": "Comebacker", "target": null } ], "attack_ids": [ { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Cryptocurrency", "Financial", "Media", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 36, "FileHash-SHA1": 36, "FileHash-SHA256": 37, "URL": 2, "domain": 29, "hostname": 1 }, "indicator_count": 141, "is_author": false, "is_subscribing": null, "subscriber_count": 867, "modified_text": "598 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c7e49b4ca9d524fe2af625", "name": "North Korea Leverages\u00a0SaaS Provider\u00a0in\u00a0a Targeted\u00a0Supply Chain Attack | Mandiant", "description": "This report comprehensively analyzes a sophisticated supply chain attack against JumpCloud, attributed to UNC4899, a suspected North Korean element within the Reconnaissance General Bureau. The threat actors targeted organizations involved with cryptocurrency, employing advanced tactics, techniques, and procedures and deploying multiple backdoors. The report offers actionable intelligence to bolster defenses, respond effectively to incidents, and mitigate risks associated with these cyber threats. Key recommendations include implementing multi-factor authentication, regular security awareness training, advanced endpoint protection solutions, and a zero-trust architecture. Given UNC4899's demonstrated capabilities and focus on IT service providers and cryptocurrency organizations, immediate action is advised.", "modified": "2023-08-30T16:03:29.422000", "created": "2023-07-31T16:43:07.157000", "tags": [], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "99gmotor", "id": "234776", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "domain": 10 }, "indicator_count": 39, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1005 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64c11c5a734d0bbea3270355", "name": "North Korea Leverages\u00a0SaaS Provider\u00a0in\u00a0a Targeted\u00a0Supply Chain Attack | Mandiant", "description": "Mandiant, the world's leading cyber security intelligence provider, has announced that it is expanding its platform and offering products and services to help companies and governments defend against cyber crime. \u00c2\u00a31.", "modified": "2023-08-25T13:03:32.676000", "created": "2023-07-26T13:15:06.141000", "tags": [ "mandiant", "stratofear", "unc4899", "tiedye", "cyber security", "dprk", "jumpcloud", "ruby script", "strong", "digital threat", "protect", "contact", "service", "config", "virustotal", "solve", "embed", "close", "test", "life", "advantage", "find", "austin", "june", "write", "path", "vmprotect", "macos", "lazarus", "win64", "footer", "fullhouse.doored" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "public": 1, "adversary": "DPRK", "targeted_countries": [ "Korea, Republic of", "United States of America", "Hong Kong", "Singapore" ], "malware_families": [ { "id": "STRATOFEAR", "display_name": "STRATOFEAR", "target": null }, { "id": "TIEDYE", "display_name": "TIEDYE", "target": null }, { "id": "DPRK", "display_name": "DPRK", "target": null }, { "id": "FULLHOUSE.DOORED", "display_name": "FULLHOUSE.DOORED", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" } ], "industries": [ "Cryptocurrency", "Financial Services", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 6, "FileHash-SHA256": 11, "URL": 3, "domain": 10 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "1010 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64bee8364be919430e12420a", "name": "JumpCloud Breach Linked to UNC4899", "description": "", "modified": "2023-08-23T21:00:34.495000", "created": "2023-07-24T21:08:06.600000", "tags": [], "references": [ "July 25th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2883 - JumpCloud Breach Linked to UNC4899.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "FileHash-MD5": 8, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "domain": 6 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1012 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "relysudden.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "relysudden.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780316941.0641255 }