{ "type": "Domain", "indicator": "requests.post", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/requests.post", "alexa": "http://www.alexa.com/siteinfo/requests.post", "indicator": "requests.post", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2570002301, "indicator": "requests.post", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69931d7b5ba26f878ccbdc85", "name": "AI/LLM-Generated Malware Used to Exploit React2Shell", "description": "Recent observations from Darktrace's honeypot network, \"CloudyPots,\" highlight the use of AI-generated malware exploiting vulnerable Docker environments, specifically the Docker daemon exposed without authentication. This configuration allows attackers to discover the daemon and create containers through the Docker API, establishing initial access to the system.\n\nThe central component of the intrusion was a Python payload that acted as the execution mechanism. The payload was notably obfuscated, indicating a deliberate effort to disguise its functionality. Throughout the malware sample, there was a lack of embedded spreading logic, which is typically found in Docker malware. This omission suggests that the attackers utilized a separate remote spreading tool instead.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:36:59.775000", "tags": [ "ip address", "february", "beyondtrust", "compromise", "possible", "threat research", "darktrace", "rare external", "activity", "c2 server", "concept", "suspicious", "docker api" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 3, "domain": 2, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682aea84648e090682772ff6", "name": "Analysis of Malicious Checker Packages on PyPI: Probing TikTok and Instagram", "description": "This comprehensive report from Socket.dev examines the emergence of malicious checker packages on PyPI that target TikTok and Instagram. The analysis uncovers the sophisticated tactics, techniques, and procedures (TTPs) employed by cybercriminals to exploit these platforms.", "modified": "2025-06-18T08:01:51.853000", "created": "2025-05-19T08:23:32.203000", "tags": [ "instagram", "tiktok", "pypi package", "apis", "socket threat", "march", "csrf token", "pypi", "tiktok account", "research team", "ukraine", "april", "cyber", "android", "telegram", "dark", "lazarus", "tiktok api" ], "references": [ "https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TikTok API", "display_name": "TikTok API", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 43, "domain": 1, "email": 2, "hostname": 3 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c08242e066fe62a86e5e24", "name": "The-Ultimate-Black-basta-chat-leak", "description": "Black Basta ransomware is actively exploiting Veeam Backup & Replication and Atlassian Confluence vulnerabilities for initial access and privilege escalation. Leaked chats reveal a structured attack strategy targeting unpatched enterprise systems. Immediate patching and enhanced monitoring are recommended to mitigate risk.", "modified": "2025-03-29T15:03:32.562000", "created": "2025-02-27T15:18:26.491000", "tags": [ "commandline", "accountname", "eventid", "newprocessname", "timegenerated", "veeam", "anydesk", "powershell", "sharename", "objectname", "lockbit", "mimikatz", "ransomware", "lsass", "procdump", "helldown", "buddy", "netscan", "blackbasta", "download", "trigger", "realvnc", "chat", "strings", "pikabot", "defender", "recon", "psexec", "persistence", "metasploit", "soar", "kill", "black basta", "atomic red", "zimbra", "socks proxy", "cobalt strike", "netcat", "execution", "team", "amadey", "shell", "formbook", "date", "look", "conti", "agenttesla", "monitoring", "meterpreter", "encodedcommand", "kali", "april", "february", "august", "batloader", "defense", "target", "manipulation", "qbot", "exploit", "speed", "null", "python", "userinit", "tools", "project", "sentinel", "black", "example" ], "references": [ "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 7, "URL": 23, "domain": 12, "email": 1, "hostname": 9 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bf134d3d66a49d24cc12e1", "name": "Malicious PyPI Package Exploits Deezer API for Coordinated M...", "description": "A malicious PyPI package that exploits the Deezer music streaming service\u2019s API for coordinated piracy has been uncovered by researchers at the Open Source Security Research Centre (OSRC) in London.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:12:45.122000", "tags": [ "deezer", "urls", "socket", "pypi package", "pypi", "isrcs", "apis", "compromise", "france", "steal" ], "references": [ "https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 4, "domain": 2, "email": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bdd8f7ef4e2e3e43204f78", "name": "BlackBasta ransomware", "description": "The Conti ransomware group have splintered into multiple threat groups, including Black Basta. Black Basta has emerged as one of the most significant ransomware threats. The analysis observed that Black Basta has compromised over 50 organizations in the United States, United Kingdom, Australia, New Zealand, and Canada in just two months. This indicates the group\u2019s high success rate in compromising organizations. The latest version of the ransomware is likely to enhance their ability to evade antivirus and EDR systems.", "modified": "2025-03-27T14:00:18.111000", "created": "2025-02-25T14:51:35.543000", "tags": [ "blackbasta", "ransomware" ], "references": [ "https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackBasta", "display_name": "BlackBasta", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8, "domain": 9, "hostname": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6655a8f77482c5968024f361", "name": "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages", "description": "", "modified": "2024-06-27T09:01:15.628000", "created": "2024-05-28T09:50:47.616000", "tags": [ "primary article", "cybersecurity", "mythic", "poseidon agent", "pbors", "india", "globshell", "sparsh", "iso image", "pdf lure", "reference", "defense", "downloader", "execution", "python", "desktop", "discord", "april", "rust", "format", "virustotal", "media", "path", "winrar", "phishing", "project", "download", "reboot", "shell", "persistence", "capture", "import" ], "references": [ "https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 70, "FileHash-SHA256": 86, "URL": 33, "YARA": 1, "domain": 24, "hostname": 2 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660bfb75e35090db1bd21e07", "name": "Typosquatting Campaign Targets Python Developers", "description": "As part of Phylum\u2019s annual security review, we take a look at the latest typosquat attacks targeting Python developers and how they might be used to target their own code.", "modified": "2024-04-02T12:35:01.061000", "created": "2024-04-02T12:35:01.061000", "tags": [ "research", "pypi", "march", "python", "phylum", "pytorch", "backgroundfirst", "insanepackage", "insane", "publication", "beautifulsoup26", "virustotal", "typosquatting", "zgrat" ], "references": [ "https://blog.phylum.io/typosquatting-campaign-targets-python-developers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Typosquatting", "display_name": "Typosquatting", "target": null }, { "id": "zgRAT", "display_name": "zgRAT", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 4, "email": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "788 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "648b7ee010b41ae494305f6c", "name": "PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) - Python webapps Exploit", "description": "A look at the key points of the searchSploit tool, which has been used for more than two decades to find out how to hack into the system and access the login details of users.\nPyLoad is an open-source download manager written in Python. It is designed to simplify and automate the process of downloading files from various hosting websites, file sharing platforms, and other online sources. PyLoad provides a web-based interface that allows users to manage their downloads, add new download links, and monitor the progress of ongoing downloads.", "modified": "2023-06-15T21:13:04.021000", "created": "2023-06-15T21:13:04.021000", "tags": [ "python", "webapps", "cve-2023-0297", "google hacking", "offsec", "ghdb", "johnny", "database", "certifications", "internet search", "internet", "johnny long", "defcon" ], "references": [ "https://www.exploit-db.com/exploits/51522" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bryce.davis2", "id": "234174", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 1, "domain": 2 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 5, "modified_text": "1080 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "643921f1b71b1924d9cfc720", "name": "Legion: an AWS Credential Harvester and SMTP Hijacker - Cado Security | Cloud Investigation", "description": "Cado Labs has discovered a new type of malware that targets vulnerable AWS servers and targets such as Twilio and Shodan, and is designed to hijack SMTP and other web hosting services.", "modified": "2023-04-14T09:50:41.535000", "created": "2023-04-14T09:50:41.535000", "tags": [ "telegram", "legion", "khtml", "gecko", "cado labs", "cado", "macintosh", "intel mac", "os x", "smtp", "androxgh0st", "execution", "apache", "virustotal", "february", "tools", "example", "python", "concept", "indonesia", "android", "win64" ], "references": [ "https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/" ], "public": 1, "adversary": "Telegram", "targeted_countries": [ "Indonesia" ], "malware_families": [], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 2, "domain": 2, "hostname": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "1142 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63c81765f582ad0766bec4fe", "name": "Unknown Vulnerability in SugarCRM has Exploit Code Released", "description": "Cybercriminals are highly likely to attempt to exploit an, at the time, unknown vulnerability, now tracked as CVE-2023-22952, in SugarCRM Sell, Serve, Enterprise, Professional, and Ultimate software solutions due to exploit code being published through multiple outlets. The Adversary Tactics and Intelligence team (ATI) is aware of one report of active exploitation. However, ATI cannot verify the source's reliability or credibility, and CISA has not added this vulnerability to its Known Exploited Vulnerabilities Catalog. Censys identified 3,059 instances of SugarCRM on the internet and 354 unique IP addresses containing the exploit's installed webshell. According to their data, most infected hosts are located in the US, accounting for 32.5%, and Germany is the second most infected country, accounting for 21.3% of all infected hosts.", "modified": "2023-01-18T15:59:33.584000", "created": "2023-01-18T15:59:33.584000", "tags": [ "dw-osint-cib", "vulnerability", "technology/sugarcrm", "cve-2023-22952" ], "references": [ "https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update", "https://censys.io/tracking-a-sugarcrm-zero-day/", "https://seclists.org/fulldisclosure/2022/Dec/31" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "1228 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "Black Energy.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "APT group ups targets us gov.pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-05-18 - TT Malware Log.pdf", "https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN", "https://censys.io/tracking-a-sugarcrm-zero-day/", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-10-15 - Archivist.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "Cmstar Downloader.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "Demonstrating Hustle.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "APT 28 (1).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-02-15 - Carbanak.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Attacks against Israeli & Palestinian interests.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "https://www.exploit-db.com/exploits/51522", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell", "blog.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "Dukes.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "Casper Malware.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "APT CVE-2015-5119.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "Behind the syria conflict.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "Goldfish Phishing.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "Agent.BTZ to ComRAT.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "Duqu 2.0 Yara rules.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "Black Vine.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "Duke cloud Linux.pdf", "https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "Babar.pdf", "Indicators of Compormise Hellsing.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "https://www.cadosecurity.com/legion-an-aws-credential-harvester-and-smtp-hijacker/", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-02-25 - Pony Sourcecode.pdf", "https://blog.phylum.io/typosquatting-campaign-targets-python-developers/", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "https://seclists.org/fulldisclosure/2022/Dec/31", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "Trojan Skelky.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "Duqu 2.0 Win32K Exploit.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "BBSRAT Roaming Tiger.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "Blue termite (1).pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "Attacks on France TV5 Monde.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Copy Kittens.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "Anthem hack all roads lead to China.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "APT 28.pdf", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "Bookworm Trojan (1).pdf", "Rocket Kitten.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "Emdivi.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "Babar or Bunny.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "Animals in the APT Farm.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-03-28 - UACME.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "Apt 28 (2).pdf", "China Peace Palace.pdf", "https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy", "2015-08-19 - Antak WebShell.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "Wild Neutron.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Telegram", "Lazarus" ], "malware_families": [ "Blackbasta", "Typosquatting", "Zgrat", "Tiktok api" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69f4dfa6405cf7858f1b732a", "name": "2015: Malware Analysis Report", "description": "", "modified": "2026-05-01T17:15:18.968000", "created": "2026-05-01T17:15:18.968000", "tags": [], "references": [ "2015-01-08 - Getmypass Point of Sale Malware Update.pdf", "2015-01-13 - New Carberp variant heads down under.pdf", "2015-01-11 - The Mozart RAM Scraper.pdf", "2015-01-06 - Linux DDoS Trojan hiding itself with an embedded rootkit.pdf", "2015-01-09 - Chanitor Downloader Actively Installing Vawtrak.pdf", "2015-01-08 - Major malvertising campaign spreads Kovter Ad Fraud malware.pdf", "2015-01-15 - Weiterentwicklung anspruchsvoller Spyware- von Agent.BTZ zu ComRAT.pdf", "2015-01-20 - Analysis of Project Cobra.pdf", "2015-01-14 - Catching the \u201cInception Framework\u201d Phishing Attack.pdf", "2015-01-22 - New RATs Emerge from Leaked Njw0rm Source Code.pdf", "2015-01-26 - Storm Chasing- Hunting Hurricane Panda.pdf", "2015-01-21 - The DGA of Symmi.pdf", "2015-01-22 - Malvertising Leading To Flash Zero Day Via Angler Exploit Kit.pdf", "2015-02-04 - Pawn Storm Update- iOS Espionage App Found.pdf", "2015-01-22 - Scarab attackers took aim at select Russian targets since 2012.pdf", "2015-02-09 - Anthem Breach May Have Started in April 2014.pdf", "2015-02-15 - Carbanak.pdf", "2015-02-16 - Equation- The Death Star of Malware Galaxy.pdf", "2015-02-16 - How \u201comnipotent\u201d hackers tied to NSA hid for 14 years\u2014and were found at last.pdf", "2015-02-12 - Mobile Malware Gang Steals Millions from South Korean Users.pdf", "2015-02-17 - Ali Baba, the APT group from the Middle East.pdf", "2015-02-17 - Angry Android hacker hides Xbot malware in popular application icons .pdf", "2015-02-17 - BE2 extraordinary plugins, Siemens targeting, dev fails.pdf", "2015-02-18 - Babar- espionage software finally found and put under the microscope.pdf", "2015-02-18 - Babar- Suspected Nation State Spyware In The Spotlight.pdf", "2015-02-17 - The Desert Falcons targeted attacks.pdf", "2015-02-18 - Sexually Explicit Material Used as Lures in Recent Cyber Attacks.pdf", "2015-02-05 - Anatomy of a Brute Force Campaign- The Story of Hee Thai Limited.pdf", "2015-02-18 - Meet Babar, a New Malware Almost Certainly Created by France.pdf", "2015-02-25 - KINS Banking Trojan Source Code.pdf", "2015-02-19 - Arid Viper \u2013 Israel entities targeted by malware packaged with sex video.pdf", "2015-02-23 - Cyber Kung-Fu- The Great Firewall Art of DNS Poisoning.pdf", "2015-02-27 - ScanBox Framework.pdf", "2015-02-25 - Pony Sourcecode.pdf", "2015-02-20 - The DGAs of Necurs.pdf", "2015-03-03 - C99Shell not dead.pdf", "2015-03-03 - PwnPOS- Old Undetected PoS Malware Still Causing Havoc.pdf", "2015-03-04 - New crypto ransomware in town - CryptoFortress.pdf", "2015-03-04 - And you get a POS malware name...and you get a POS malware name....and you get a POS malware name.....pdf", "2015-03-06 - Animals in the APT Farm.pdf", "2015-03-07 - Slave, Banatrix and ransomware.pdf", "2015-02-27 - The Anthem Hack- All Roads Lead to China.pdf", "2015-03-05 - Casper Malware- After Babar and Bunny, Another Espionage Cartoon.pdf", "2015-03-09 - CryptoFortress mimics TorrentLocker but is a different ransomware.pdf", "2015-03-04 - Who\u2019s Really Spreading through the Bright Star-.pdf", "2015-03-10 - The DGA of Pykspa.pdf", "2015-03-11 - Malvertising Targeting European Transit Users.pdf", "2015-03-19 - Analyzing a Backdoor-Bot forthe MIPS Platform.pdf", "2015-03-11 - Inside the EquationDrug Espionage Platform.pdf", "2015-02-27 - VB2014 paper- The pluginer - Caphaw.pdf", "2015-03-19 - Rocket Kitten Showing Its Claws- Operation Woolen-GoldFish and the GHOLE campaign.pdf", "2015-03-30 - Fake Judicial Spam Leads to Backdoor with Fake Certificate Authority.pdf", "2015-03-19 - FindPOS- New POS Malware Family Discovered.pdf", "2015-03-31 - Volatile Cedar - Analysis of a Global Cyber Espionage Campaign.pdf", "2015-03-20 - Threat Spotlight- PoSeidon, A Deep Dive Into Point of Sale Malware.pdf", "2015-03-30 - New reconnaissance threat Trojan.Laziok targets the energy sector.pdf", "2015-03-31 - Sinkholing Volatile Cedar DGA Infrastructure.pdf", "2015-04-01 - NewPosThings Has New PoS Things.pdf", "2015-04-09 - Beebone Botnet Takedown- Trend Micro Solutions.pdf", "2015-03-28 - UACME.pdf", "2015-04-09 - Operation Buhtrap, the trap for Russian accountants.pdf", "2015-04-13 - Cyber Deterrence in Action- A story of one long HURRICANE PANDA campaign.pdf", "2015-04-15 - Elite cyber crime group strikes back after attack by rival APT gang.pdf", "2015-04-13 - Analyzing Gootkit's persistence mechanism (new ASEP inside!).pdf", "2015-04-14 - Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets.pdf", "2015-04-15 - Betabot retrospective.pdf", "2015-04-12 - SIMDA- A Botnet Takedown.pdf", "2015-04-15 - Knowledge Fragment- Bruteforcing Andromeda Configuration Buffers.pdf", "2015-04-13 - sqlconnt1.exe.pdf", "2015-04-18 - Operation RussianDoll- Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia\u2019s APT28 in Highly-Targeted Attack.pdf", "2015-04-15 - New POS Malware Emerges - Punkey.pdf", "2015-04-15 - The Chronicles of the Hellsing APT- the Empire Strikes Back.pdf", "2015-04-21 - Bedep\u2019s DGA- Trading Foreign Exchange for Malware Domains.pdf", "2015-04-17 - Andromeda-Gamarue bot loves JSON too (new versions details).pdf", "2015-04-27 - Attacks against Israeli & Palestinian interests.pdf", "2015-05-04 - Threat Spotlight- Rombertik \u2013 Gazing Past the Smoke, Mirrors, and Trapdoors.pdf", "2015-04-15 - The Chronicles of the Hellsing APT_the Empire Strikes Back.pdf", "2015-05-10 - Third-Party Software Was Entry Point for Background-Check System Hack.pdf", "2015-04-29 - Unboxing Linux-Mumblehard- Muttering spam from your servers.pdf", "2015-05-15 - Carefirst Blue Cross Breach Hits 1.1M.pdf", "2015-05-14 - The Naikon APT.pdf", "2015-05-07 - Dissecting the \u201cKraken\u201d.pdf", "2015-05-18 - Cmstar Downloader- Lurid and Enfal\u2019s New Cousin.pdf", "2015-05-17 - Newest addition to a happy family- KBOT.pdf", "2015-05-22 - The DGA of Ranbyus.pdf", "2015-04-27 - Threat Spotlight- TeslaCrypt \u2013 Decrypt It Yourself.pdf", "2015-05-20 - Bedep Ad-Fraud Botnet Analysis \u2013 Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day.pdf", "2015-05-23 - NitlovePOS- Another New POS Malware.pdf", "2015-05-26 - Moose \u2013 the router worm with an appetite for social networks.pdf", "2015-05-18 - TT Malware Log.pdf", "2015-06-01 - Rhetoric Foreshadows Cyber Activity in the South China Sea.pdf", "2015-05-28 - Unusual Exploit Kit Targets Chinese Users (Part 1).pdf", "2015-06-03 - Thamar Reservoir \u2013 An Iranian cyber-attack campaign against targets in the Middle East.pdf", "2015-06-01 - \u201cTroldesh\u201d \u2013 New Ransomware from Russia.pdf", "2015-06-04 - KeyBase Keylogger Malware Family Exposed.pdf", "2015-06-12 - Unusual Exploit Kit Targets Chinese Users (Part 2).pdf", "2015-06-15 - Stegoloader- A Stealthy Information Stealer.pdf", "2015-06-15 - Catching Up on the OPM Breach.pdf", "2015-06-10 - The Mystery of Duqu 2.0- a sophisticated cyberespionage actor returns.pdf", "2015-06-16 - Operation Lotus Blossom- A New Nation-State Cyberthreat-.pdf", "2015-06-09 - New Data- Volatile Cedar Malware Campaign.pdf", "2015-05-29 -The MsnMM Campaigns - The Earliest Naikon APT Campaigns.pdf", "2015-06-22 - Games are over- Winnti is now targeting pharmaceutical companies.pdf", "2015-06-19 - Digital Attack on German Parliament- Investigative Report on the Hack of the Left Party Infrastructure in Bundestag.pdf", "2015-06-23 - Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign.pdf", "2015-06-18 - So Long, and Thanks for All the Domains.pdf", "2015-06-17 - The Spring Dragon APT.pdf", "2015-06-25 - Sundown EK Spreads LuminosityLink RAT- Light After Dark.pdf", "2015-06-24 - Stealthy Cyberespionage Campaign Attacks With Social Engineering.pdf", "2015-06-24 - UnFIN4ished Business.pdf", "2015-07-08 - Wild Neutron \u2013 Economic espionage threat actor returns with new tricks.pdf", "2015-07-02 - Win32-Lethic Botnet Analysis.pdf", "2015-07-10 - Sednit APT Group Meets Hacking Team.pdf", "2015-06-24 - Elusive HanJuan EK Drops New Tinba Version (updated).pdf", "2015-07-07 - Dyre Banking Trojan Exploits CVE-2015-0057.pdf", "2015-07-13 - Revisiting The Bunitu Trojan.pdf", "2015-07-14 - BernhardPOS.pdf", "2015-07-14 - TeslaCrypt 2.0 disguised as CryptoWall.pdf", "2015-07-08 - Butterfly- Profiting from high-level corporate attacks.pdf", "2015-07-05 - Spy Tech Company 'Hacking Team' Gets Hacked.pdf", "2015-07-08 - Animal Farm APT and the Shadow of French Intelligence.pdf", "2015-07-16 - Github Repo with source code of cd00r.c.pdf", "2015-07-19 - The Faulty Precursor of Pykspa's DGA.pdf", "2015-07-31 - OTX Pulse on PlugX.pdf", "2015-08 - Uncovering the Seven Pointed Dagger.pdf", "2015-07-27 - UPS- Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload.pdf", "2015-07-13 - \u201cForkmeiamfamous\u201d- Seaduke, latest weapon in the Duke armory.pdf", "2015-07-20 - Watering Hole Attack on Aerospace Firm Exploits CVE-2015-5122 to Install IsSpace Backdoor.pdf", "2015-07-22 - Duke APT group's latest tools- cloud services and Linux support.pdf", "2015-07-30 - Sakula Malware Family.pdf", "2015-08-10 - Darkhotel\u2019s attacks in 2015.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked 100+ websites to use as \u201cwatering holes\u201d.pdf", "2015-07-31 - OTX- FBI Flash 68 (PlugX).pdf", "2015-07-30 - Operation Potao Express- Analysis of a cyber?espionage toolkit.pdf", "2015-08-18 - Knowledge Fragment- Unwrapping Fobber.pdf", "2015-08-12 - Islamic State Hacking Division.pdf", "2015-08-19 - Antak WebShell.pdf", "2015-08-12 - Tinba Trojan Sets Its Sights on Romania.pdf", "2015-08-05 - Newly discovered Chinese hacking group hacked over 100 websites to use as \u201cwatering holes\u201d.pdf", "2015-08-18 - ransomware open-sources.pdf", "2015-08-26 - Sphinx, a new variant of Zeus available for sale in the underground.pdf", "2015-08-19 - Inside Neutrino botnet builder.pdf", "2015-08-05 - Threat Group 3390 Cyberespionage.pdf", "2015-08-24 - Sphinx- New Zeus Variant for Sale on the Black Market.pdf", "2015-08-05 - Who\u2019s Behind Your Proxy- Uncovering Bunitu\u2019s Secrets.pdf", "2015-08-20 - Retefe Banking Trojan Targets Sweden, Switzerland and Japan.pdf", "2015-09-09 - Pony Stealer Malware.pdf", "2015-09-16 - Operation Iron Tiger- Attackers Shift from East Asia to the United States.pdf", "2015-08-27 - London Calling- Two-Factor Authentication Phishing From Iran.pdf", "2015-09-11 - CSI MacMark- Janicab.pdf", "2015-09-12 - Stuxnet code.pdf", "2015-09-23 - Chinese Actors Use \u20183102\u2019 Malware in Attacks on US Government and EU Media.pdf", "2015-08-27 - New Spear Phishing Campaign Pretends to be EFF.pdf", "2015-09-08 - Carbanak gang is back and packing new guns.pdf", "2015-09-03 - Three Variants of Murofet's DGA.pdf", "2015-09-01 - Attackers Target Organizations in Japan; Transform Local Sites into C&C Servers for EMDIVI Backdoor.pdf", "2015-08-31 - Shifu- \u2018Masterful\u2019 New Banking Trojan Is Attacking 14 Japanese Banks.pdf", "2015-09-14 - The Shade Encryptor- a Double Threat.pdf", "2015-09-11 - SUCEFUL- Next Generation ATM Malware.pdf", "2015-09-09 - Satellite Turla- APT Command and Control in the Sky.pdf", "2015-09-17 - The Dukes- 7 Years Of Russian Cyber-Espionage.pdf", "2015-09-24 - Credit Card-Scraping Kasidet Builder Leads to Spike in Detections.pdf", "2015-09-24 - Kovter malware learns from Poweliks with persistent fileless registry update.pdf", "2015-09-18 - Operation Arid Viper Slithers Back into View.pdf", "2015-09-01 - Fancy Bear.pdf", "2015-09-25 - Notes on Linux-Xor.DDoS.pdf", "2015-09-23 - Ranbyus's DGA, Revisited.pdf", "2015-09-29 - Andromeda Bot Analysis part 1.pdf", "2015-10-06 - I am HDRoot! Part 1.pdf", "2015-10-06 - Ticked Off- Upatre Malware\u2019s Simple Anti-analysis Trick to Defeat Sandboxes.pdf", "2015-10-01 - Linux.Rekoobe.1.pdf", "2015-10-06 - MOKER- A NEW APT DISCOVERED WITHIN A SENSITIVE NETWORK.pdf", "2015-10-06 - Targeted Attack Exposes OWA Weakness.pdf", "2015-09-28 - Gaza cybergang, where\u2019s your IR team-.pdf", "2015-10-12 - Keybase Logger-Clipboard-CredsStealer campaign.pdf", "2015-10-07 - Hacker Group Creates Network of Fake LinkedIn Profiles.pdf", "2015-10-09 - Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan.pdf", "2015-10-09 - Beta Bot Analysis- Part 1.pdf", "2015-10-13 - I am HDRoot! Part 2.pdf", "2015-09-28 - Two New PoS Malware Affecting US SMBs.pdf", "2015-10-13 - Dridex (Bugat v5) Botnet Takeover Operation.pdf", "2015-10-19 - Github Repository for AllaKore.pdf", "2015-10-16 - Surveillance Malware Trends- Tracking Predator Pain and HawkEye.pdf", "2015-10-13 - New Adobe Flash Zero-Day Used in Pawn Storm Campaign Targeting Foreign Affairs Ministries.pdf", "2015-09-24 - Meet GreenDispenser- A New Breed of ATM Malware.pdf", "2015-10-17 - How to Write Simple but Sound Yara Rules \u2013 Part 2.pdf", "2015-10-13 - Prolific Cybercrime Gang Favors Legit Login Credentials.pdf", "2015-10-15 - Archivist.pdf", "2015-09-23 - Quaverse RAT- Remote-Access-as-a-Service.pdf", "2015-10-26 - Duuzer back door Trojan targets South Korea to take over computers.pdf", "2015-10-22 - Pawn Storm Targets MH17 Investigation Team.pdf", "2015-11-02 - Troj-Cryakl-B.pdf", "2015-09-29 - Andromeda Bot Analysis part 2.pdf", "2015-10-28 - Reversing the C2C HTTP Emmental communication.pdf", "2015-11-02 - Modular trojan for hidden access to a computer.pdf", "2015-11-03 - Reversing the SMS C&C protocol of Emmental (1st part - understanding the code).pdf", "2015-11-05 - Sphinx Moth- Expanding our knowledge of the \u201cWild Neutron\u201d - \u201cMorpho\u201d APT.pdf", "2015-09-28 - Hammertoss- What, Me Worry-.pdf", "2015-10-08 - Dyre Malware Campaigners Innovate with Distribution Techniques.pdf", "2015-11-04 - \u201cOffline\u201d Ransomware Encrypts Your Data without C&C Communication.pdf", "2015-11-10 - Bookworm Trojan- A Model of Modular Architecture.pdf", "2015-11-11 - Operation Buhtrap malware distributed via ammyy.com.pdf", "2015-11-02 - Shifu \u2013 the rise of a self-destructive banking trojan.pdf", "2015-11-04 - DroidJack isn\u2019t the only spying software out there- Avast discovers OmniRat.pdf", "2015-11-17 - New Memory Scraping Technique in Cherry Picker PoS Malware.pdf", "2015-11-11 - AbaddonPOS- A new point of sale threat linked to Vawtrak.pdf", "2015-12-01 - China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets.pdf", "2015-11-16 - Shining the Spotlight on Cherry Picker PoS Malware.pdf", "2015-12-03 - Colombians major target of email campaigns delivering Xtreme RAT.pdf", "2015-11-04 - A Technical Look At Dyreza.pdf", "2015-12-04 - Sofacy APT hits high profile targets with updated toolset.pdf", "2015-12-16 - Nemucod malware spreads ransomware Teslacrypt around the world.pdf", "2015-12-08 - VT Report for SmartEyes.pdf", "2015-12-09 - Inside Chimera Ransomware - the first 'doxingware' in wild.pdf", "2015-12-18 - Attack on French Diplomat Linked to Operation Lotus Blossom.pdf", "2015-12-17 - SlemBunk- An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps.pdf", "2015-12-26 - Backdoor- Win32-Hesetox.A- vSkimmer POS Malware Analysis _.pdf", "2015-11-20 - A king's ransom- an analysis of the CTB-locker ransomware.pdf", "2015-11-16 - Introducing LogPOS.pdf", "2015-12-22 - Kraken's two Domain Generation Algorithms.pdf", "2015-12-07 - Iran-based attackers use back door threats to spy on Middle Eastern targets.pdf", "2015-11-06 - OmniRAT Takes Over Android Devices Through Social Engineering Tricks.pdf", "2015-12-11 - LATENTBOT- Trace Me If You Can.pdf", "2015-11-30 - Inside Braviax-FakeRean- An analysis and history of a FakeAV family.pdf", "2015-12-01 - Operation Black Atlas Endangers In-Store Card Payments and SMBs Worldwide; Switches between BlackPOS and Other Tools.pdf", "2015-12-22 - BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger.pdf", "Agent.BTZ to ComRAT.pdf", "2015-11-25 - Detecting GlassRAT using Security Analytics and ECAT.pdf", "2015-12-08 - Packrat- Seven Years of a South American Threat Actor.pdf", "Afghan Government Compromise - Browser Beware.pdf", "Anthem hack all roads lead to China.pdf", "ANALYSIS ON APT TO BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Animals in the APT Farm.pdf", "APT CVE-2015-5119.pdf", "APT 28 (1).pdf", "Attacks against Israeli & Palestinian interests.pdf", "APT group ups targets us gov.pdf", "Black Energy.pdf", "blog.pdf", "APT 28.pdf", "Babar.pdf", "Black Vine.pdf", "Behind the syria conflict.pdf", "Attacks on France TV5 Monde.pdf", "Casper Malware.pdf", "2015-12-31 - Overseas -Dark Inn- organization launched an APT attack on executives of domestic enterprises.pdf", "Demonstrating Hustle.pdf", "Cmstar Downloader.pdf", "Apt 28 (2).pdf", "Bookworm Trojan (1).pdf", "ANALYSIS ON APT-TO-BE ATTACK THAT FOCUSING ON CHINAS GOVERNMENT AGENCY.pdf", "Duke cloud Linux.pdf", "Dukes.pdf", "Duqu 2.0 Yara rules.pdf", "Duqu 2.0 Win32K Exploit.pdf", "Dino.pdf", "Duke cloud Linux (1).pdf", "Goldfish Phishing.pdf", "Indicators of Compormise Hellsing.pdf", "Rocket Kitten.pdf", "Trojan Skelky.pdf", "Wild Neutron.pdf", "2015-04-09 - The Banking Trojan Emotet- Detailed Analysis.pdf", "2015-07-23 - An Analysis of the Qadars Banking Trojan.pdf", "Babar or Bunny.pdf", "BBSRAT Roaming Tiger.pdf", "Blue termite (1).pdf", "China Peace Palace.pdf", "Copy Kittens.pdf", "Emdivi.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "kikinumpav", "id": "385742", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1032, "FileHash-SHA1": 544, "IPv4": 487, "FileHash-MD5": 1665, "URL": 673, "hostname": 959, "CVE": 45, "FileHash-SHA256": 411, "email": 11, "CIDR": 4, "BitcoinAddress": 2, "YARA": 7 }, "indicator_count": 5840, "is_author": false, "is_subscribing": null, "subscriber_count": 13, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69931d7b5ba26f878ccbdc85", "name": "AI/LLM-Generated Malware Used to Exploit React2Shell", "description": "Recent observations from Darktrace's honeypot network, \"CloudyPots,\" highlight the use of AI-generated malware exploiting vulnerable Docker environments, specifically the Docker daemon exposed without authentication. This configuration allows attackers to discover the daemon and create containers through the Docker API, establishing initial access to the system.\n\nThe central component of the intrusion was a Python payload that acted as the execution mechanism. The payload was notably obfuscated, indicating a deliberate effort to disguise its functionality. Throughout the malware sample, there was a lack of embedded spreading logic, which is typically found in Docker malware. This omission suggests that the attackers utilized a separate remote spreading tool instead.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:36:59.775000", "tags": [ "ip address", "february", "beyondtrust", "compromise", "possible", "threat research", "darktrace", "rare external", "activity", "c2 server", "concept", "suspicious", "docker api" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4, "CVE": 2, "FileHash-MD5": 4, "FileHash-SHA1": 6, "FileHash-SHA256": 3, "domain": 2, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698b41f0cbddf7e999ffcef9", "name": "AI/LLM-Generated Malware Used to Exploit\u00a0React2Shell", "description": "", "modified": "2026-03-12T14:03:57.105000", "created": "2026-02-10T14:34:24.334000", "tags": [ "snappybee", "virtualprotect", "virtualalloc", "dllmain", "follow", "deed rat", "salt typhoon", "trendmicro", "november", "cobalt strike", "python", "malware", "loader" ], "references": [ "https://www.darktrace.com/blog/ai-llm-generated-malware-used-to-exploit-react2shell?utm_source=CSN" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "URL": 7, "domain": 5 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "79 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682aea84648e090682772ff6", "name": "Analysis of Malicious Checker Packages on PyPI: Probing TikTok and Instagram", "description": "This comprehensive report from Socket.dev examines the emergence of malicious checker packages on PyPI that target TikTok and Instagram. The analysis uncovers the sophisticated tactics, techniques, and procedures (TTPs) employed by cybercriminals to exploit these platforms.", "modified": "2025-06-18T08:01:51.853000", "created": "2025-05-19T08:23:32.203000", "tags": [ "instagram", "tiktok", "pypi package", "apis", "socket threat", "march", "csrf token", "pypi", "tiktok account", "research team", "ukraine", "april", "cyber", "android", "telegram", "dark", "lazarus", "tiktok api" ], "references": [ "https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "TikTok API", "display_name": "TikTok API", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1596", "name": "Search Open Technical Databases", "display_name": "T1596 - Search Open Technical Databases" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 43, "domain": 1, "email": 2, "hostname": 3 }, "indicator_count": 49, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "346 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c08242e066fe62a86e5e24", "name": "The-Ultimate-Black-basta-chat-leak", "description": "Black Basta ransomware is actively exploiting Veeam Backup & Replication and Atlassian Confluence vulnerabilities for initial access and privilege escalation. Leaked chats reveal a structured attack strategy targeting unpatched enterprise systems. Immediate patching and enhanced monitoring are recommended to mitigate risk.", "modified": "2025-03-29T15:03:32.562000", "created": "2025-02-27T15:18:26.491000", "tags": [ "commandline", "accountname", "eventid", "newprocessname", "timegenerated", "veeam", "anydesk", "powershell", "sharename", "objectname", "lockbit", "mimikatz", "ransomware", "lsass", "procdump", "helldown", "buddy", "netscan", "blackbasta", "download", "trigger", "realvnc", "chat", "strings", "pikabot", "defender", "recon", "psexec", "persistence", "metasploit", "soar", "kill", "black basta", "atomic red", "zimbra", "socks proxy", "cobalt strike", "netcat", "execution", "team", "amadey", "shell", "formbook", "date", "look", "conti", "agenttesla", "monitoring", "meterpreter", "encodedcommand", "kali", "april", "february", "august", "batloader", "defense", "target", "manipulation", "qbot", "exploit", "speed", "null", "python", "userinit", "tools", "project", "sentinel", "black", "example" ], "references": [ "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 7, "URL": 23, "domain": 12, "email": 1, "hostname": 9 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bf134d3d66a49d24cc12e1", "name": "Malicious PyPI Package Exploits Deezer API for Coordinated M...", "description": "A malicious PyPI package that exploits the Deezer music streaming service\u2019s API for coordinated piracy has been uncovered by researchers at the Open Source Security Research Centre (OSRC) in London.", "modified": "2025-03-28T13:01:13.638000", "created": "2025-02-26T13:12:45.122000", "tags": [ "deezer", "urls", "socket", "pypi package", "pypi", "isrcs", "apis", "compromise", "france", "steal" ], "references": [ "https://socket.dev/blog/malicious-pypi-package-exploits-deezer-api-for-coordinated-music-piracy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 4, "domain": 2, "email": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bdd8f7ef4e2e3e43204f78", "name": "BlackBasta ransomware", "description": "The Conti ransomware group have splintered into multiple threat groups, including Black Basta. Black Basta has emerged as one of the most significant ransomware threats. The analysis observed that Black Basta has compromised over 50 organizations in the United States, United Kingdom, Australia, New Zealand, and Canada in just two months. This indicates the group\u2019s high success rate in compromising organizations. The latest version of the ransomware is likely to enhance their ability to evade antivirus and EDR systems.", "modified": "2025-03-27T14:00:18.111000", "created": "2025-02-25T14:51:35.543000", "tags": [ "blackbasta", "ransomware" ], "references": [ "https://medium.com/@simone.kraus/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "BlackBasta", "display_name": "BlackBasta", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8, "domain": 9, "hostname": 3 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "429 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "593 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6655a8f77482c5968024f361", "name": "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages", "description": "", "modified": "2024-06-27T09:01:15.628000", "created": "2024-05-28T09:50:47.616000", "tags": [ "primary article", "cybersecurity", "mythic", "poseidon agent", "pbors", "india", "globshell", "sparsh", "iso image", "pdf lure", "reference", "defense", "downloader", "execution", "python", "desktop", "discord", "april", "rust", "format", "virustotal", "media", "path", "winrar", "phishing", "project", "download", "reboot", "shell", "persistence", "capture", "import" ], "references": [ "https://blogs.blackberry.com/en/2024/05/transparent-tribe-targets-indian-government-defense-and-aerospace-sectors" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1217", "name": "Browser Bookmark Discovery", "display_name": "T1217 - Browser Bookmark Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 70, "FileHash-SHA256": 86, "URL": 33, "YARA": 1, "domain": 24, "hostname": 2 }, "indicator_count": 286, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "702 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660bfb75e35090db1bd21e07", "name": "Typosquatting Campaign Targets Python Developers", "description": "As part of Phylum\u2019s annual security review, we take a look at the latest typosquat attacks targeting Python developers and how they might be used to target their own code.", "modified": "2024-04-02T12:35:01.061000", "created": "2024-04-02T12:35:01.061000", "tags": [ "research", "pypi", "march", "python", "phylum", "pytorch", "backgroundfirst", "insanepackage", "insane", "publication", "beautifulsoup26", "virustotal", "typosquatting", "zgrat" ], "references": [ "https://blog.phylum.io/typosquatting-campaign-targets-python-developers/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Typosquatting", "display_name": "Typosquatting", "target": null }, { "id": "zgRAT", "display_name": "zgRAT", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "domain": 4, "email": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "788 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "requests.post", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "requests.post", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185093.7624998 }